W32/Benjamin-A

Aliases	Worm.Kazaa.Benjamin
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Please read the instructions for removing worms.

Windows NT/2000/XP

In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

and delete any reference to any file you deleted.

Close the registry editor.

More Information

Summary
Action
More Information

W32/Benjamin-A is a worm that exploits the KaZaA file exchange peer-to-peer network as a means of propagation.

When first executed the worm will display a message box containing the false error message

"Access error #03A:94574: Invalid pointer operation File possibly corrupt."

A copy of the worm will then be placed in the Windows system folder and a value named System-Service will be added to the registry at:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

This entry will run the worm when Windows is started.

A twenty digit hexadecimal number will also be added as the registry entry

HKLM\Software\Microsoft\Syscod

A large number of copies of the worm will be placed in the folder C:\Windows\Temp\Sys32. This folder is registered as the location where KaZaA users have access to download files. The intention is for KaZaA users to unknowingly download the worm. To increase the chances of this occuring the copies of the worm are given names that often correspond with song, film and computer game titles.

The list of file names used by the worm includes the following :

Black & White -full-downloader
macy gray - I Stumble
metallica - stairway to heaven
acdc - money talks
Fatboy Slim - Star 69
Marilyn Manson - 13 Born again
Deepest Purple-The Very Best of Deep Purple - Space Truckin
Windows XP Home edition (eng) -full-downloader
South Park Vol.1-divx-full-downloader
Quake - Games -full-downloader
Nascar Racing 3-Games-full-downloader
FIFA Soccer 2002-installer
robbie williams - millenium
Johann_Sebastian_Bach-Brandenburg_Concerto_No

The file names end with a variable number of spaces and an extension of EXE or SCR.

The worm will attempt to display a web page from benjamin.xww.de.
The page which the worm attempts to display has been removed.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Benjamin-A

Summary

Action

More Information