W32/Benjamin-A is a worm that exploits the KaZaA file exchange peer-to-peer network as a means of propagation.
When first executed the worm will display a message box containing the false error message
"Access error #03A:94574: Invalid pointer operation
File possibly corrupt."
A copy of the worm will then be placed in the Windows system folder and a value named System-Service will be added to the registry at:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
This entry will run the worm when Windows is started.
A twenty digit hexadecimal number will also be added as the registry entry
HKLM\Software\Microsoft\Syscod
A large number of copies of the worm will be placed in the folder C:\Windows\Temp\Sys32. This folder is registered as the location where KaZaA users have access to download files. The intention is for KaZaA users to unknowingly download the worm. To increase the chances of this occuring the copies of the worm are given names that often correspond with song, film and computer game titles.
The list of file names used by the worm includes the following :
Black & White -full-downloader
macy gray - I Stumble
metallica - stairway to heaven
acdc - money talks
Fatboy Slim - Star 69
Marilyn Manson - 13 Born again
Deepest Purple-The Very Best of Deep Purple - Space Truckin
Windows XP Home edition (eng) -full-downloader
South Park Vol.1-divx-full-downloader
Quake - Games -full-downloader
Nascar Racing 3-Games-full-downloader
FIFA Soccer 2002-installer
robbie williams - millenium
Johann_Sebastian_Bach-Brandenburg_Concerto_No
The file names end with a variable number of spaces and an extension of EXE or SCR.
The worm will attempt to display a web page from benjamin.xww.de.
The page which the worm attempts to display has been removed.