‘Benjamin’ Worm Plagues KaZaA

A new worm wriggling around the Internet is quickly spread among KaZaA file sharing networks, anti-virus experts warned Monday. This as the rogue file-sharing network is beginning its new life as a legitimate business player.

Known as ‘Benjamin,’ the virus masquerades as popular music, video and software files to make it more likely users will download it.

The European P2P player recently launched its Altnet subscription service, with help form its Brilliant Digital Entertainment partner. The idea is to bridge a gap between its reputation as a pirate file-sharing site and a reputable service provider.

Unlike many earlier forms of malware, anti-virus experts said ‘Benjamin’ may have been written with a commercial motivation, potentially garnering money for unwitting advertisers on a derelict website.

The virus was discovered on Saturday, May 18 by various anti-virus experts including Santa Clara, Calif.-based Network Associates’ Anti-Virus Emergency Response Team (AVERT) and F-Secure, which is based in Helsinki, Finland with U.S. offices in San Jose, Calif. By Monday, a typical search in KaZaA network resulted in 20-30 infected files being offered for download, increasing the likelihood of spreading infections.

When the worm’s file is started, it shows a fake error message:


Access error #03A:94574: Invalid pointer operation

File possibly corrupted.

To spread, the worm requires that the KaZaA software is installed on the machine. It creates a directory called %WINDIR%TEMPSYS32, and changes the KaZaA settings so that remote users can download from this directory. Then it copies itself to that directory under many different names, which other users may search for.

The size of these files can vary since the worm pads them with garbage bytes. This method of spreading is comparable to the VBS/GWV worm.

Under its new categorization hierarchy, AVERT listed the worm as a Low-Profiled, F-Secure also placed the virus on the low end of the risk ladder.

After this the worm creates hundreds of files to the users’ hard drive, and shares them with other Kazaa users. These files are actually copies of the virus itself, but they have been named to fool people into downloading them.

Examples include:

  • “Deepest Purple-The Very Best of Deep Purple – Smoke on the Water”
  • “A Beautiful Mind”
  • “Metallica – Until it sleeps”
  • “Johann Sebastian Bach – Brandenburg Concerto No 4”
  • “South Park Vol.3-divx-full-downloader”
  • “star wars Episode 1-divx-full-downloader”
  • “F1 Racing Championship-Games-full-downloader”
  • “Chessmaster 8000-Games-full-downloader”

The total list of filenames contains more than 2,000 entries.

In a departure from many other viruses and worms, ‘Benjamin’ may have had a commercial motivation.

“Apparently the worm was written to make money,” said F-Secure anti-virus research manager Mikko Hypponen. “The worm opens a Web page named “benjamin.xww.de” which contained advertisements. “Now the page has been taken down, but if the virus author got money based on ad views, he might have created some cash flow here.”

‘Benjamin’ uses KaZaA peer-to-peer networking to spread. Much like Napster, KaZaA allows its participants to exchange files with each other, using dedicated Windows-based software. KaZaA typically has more than one million users online at the same time, exchanging media files with each other.

News Around the Web