|
|
|
|
| Virus Encyclopedia |  |
Riskware | |
Alerts | |
Analysis | |
News | |
Glossary | |
Weblog |
 |
| ||||||
|
| ||||||
|
| ||||||
| ||||||||
Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / P2P Worms
P2P-Worm.Win32.Benjamin.a
This worm uses the Kazaa file exchange P2P network to spread itself. The Kazaa network allows its users to exchange files with each other using the Kazaa client software. To learn more about the Kazaa network visit their site at: http://www.kazaa.com. Benjamin is written in Borland Delphi and is approximately 216 Kb in size - it is compressed by the AsPack utility. The size of a file can vary greatly as the worm ends each file with "dust" for masking.
InstallationFirstly the worm shows a false error report:
Benjamin then copies itself to the %WinDir%\SYSTEM directory as EXPLORER.SCR and creates two keys in the system registry: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "System-Service"="C:\\WINDOWS\\SYSTEM\\EXPLORER.SCR" [HKEY_LOCAL_MACHINE\Software\Microsoft] "syscod"="0065D7DB20008306B6A1" The worm executes after system restarts. SpreadingSpreading can most likely only take place if the KaZaa P2P client (software) is installed. Benjamin reads the system registry for information on the Kasaa client and creates the %WinDir%\Temp\Sys32 directory catalog that registers as the directory accessible to all KaZaa network users. It fills this directory with copies of itself listed under numerous various names from a list contained in the body of the worm. Spreading occurs as follows. A "victim" searching for a file in the KaZaa network finds it in the list of accessible files on already infected machine. Not suspecting a problem the user downloads this file and opens it, thus infecting his or her own machine. EffectsThe worm opens the benjamin.xww.de Web-site to display an advertisement. | ||||||||
Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
Email: webmaster@viruslist.com
