"Benjamin" Worm Plagues KaZaA

A new worm is quickly spreading among KaZaA file sharing networks, anti-virus experts warned Monday, just as the rogue file-sharing network is beginning a new life as a legitimate business.

by Michael Singer of siliconvalley.internet.com [May 21, 2002]

Known as 'Benjamin,' the virus masquerades as popular music, video, and software files to make it more likely users will download it.

The European P2P player recently launched its Altnet subscription service, with help form its Brilliant Digital Entertainment partner. The idea is to bridge a gap between its reputation as a pirate file-sharing site and a reputable service provider.

Unlike many earlier forms of malware, anti-virus experts said 'Benjamin' may have been written with a commercial motivation, potentially garnering money for unwitting advertisers on a derelict website.

The virus was discovered on Saturday, May 18 by various anti-virus experts including Network Associates' Anti-Virus Emergency Response Team (AVERT) and F-Secure. By Monday, a typical search in KaZaA network resulted in 20-30 infected files being offered for download, increasing the likelihood of spreading infections.

When the worm's file is started, it shows a fake error message:

Error
Access error #03A:94574: Invalid pointer operation
File possibly corrupted.

To spread, the worm requires that the KaZaA software is installed on the machine. It creates a directory called %WINDIR%\TEMP\SYS32, and changes the KaZaA settings so that remote users can download from this directory. Then it copies itself to that directory under many different names, which other users may search for.

The size of these files can vary since the worm pads them with garbage bytes. This method of spreading is comparable to the VBS/GWV worm.

Under its new categorization hierarchy, AVERT listed the worm a Low-Profiled, and F-Secure also placed the virus on the low end of the risk ladder.

After this the worm writes hundreds of files to the user's hard drive, and shares them with other Kazaa users. These files are actually copies of the virus itself, but they have been named to fool people into downloading them.

Examples include:

• "Deepest Purple-The Very Best of Deep Purple - Smoke on the Water"
• "A Beautiful Mind"
• "Metallica - Until it sleeps"
• "Johann Sebastian Bach - Brandenburg Concerto No 4"
• "South Park Vol.3-divx-full-downloader"
• "star wars Episode 1-divx-full-downloader"
• "F1 Racing Championship-Games-full-downloader"
• "Chessmaster 8000-Games-full-downloader"

The total list of filenames contains more than 2,000 entries.

In a departure from many other viruses and worms, 'Benjamin' may have had a commercial motivation.

"Apparently the worm was written to make money," said F-Secure anti-virus research manager Mikko Hypponen. "The worm opens a Web page named "benjamin.xww.de" which contained advertisements. "Now the page has been taken down, but if the virus author got money based on ad views, he might have created some cash flow here."

'Benjamin' uses KaZaA peer-to-peer networking to spread. Much like Napster, KaZaA allows its participants to exchange files with each other, using dedicated Windows-based software. KaZaA typically has more than one million users online at the same time, exchanging media files with each other.

— End