Kazza worm virus info

vbimport

#1

Hi all.
I know its been around a couple af days now but i thought i would post this clip from F-secure info.

The Benjamin worm uses Kazaa p2p (peer-to-peer) network to spread. Much like Napster, The Kazaa network allows its participants to exchange files with each other, using dedicated Windows-based software. Kazaa typically has more than one million users online at the same time, exchanging media files with each other.

Benjamin virus only works on Windows workstations which have the Kazaa program installed, When the virus is started, it shows a fake error message to the user:

Access error #03A:94574: Invalid pointer operation File possibly corrupted.

After this the worm creates hundreds of files to the users hard drive and shares them to other Kazaa users. These files are actually copies of the worm itself, but they have been named to fool people into downloading them. Examples include:

"Deepest Purple-The Very Best of Deep Purple - Smoke on the Water"
"Metallica - Until it sleeps"
"Johann Sebastian Bach - Brandenburg Concerto No 4"
"South Park Vol.3-divx-full-downloader"
"Star wars Episode 1-divx-full-downloader"
"F1 Racing Championship-Games-full-downloader"
"Chessmaster 8000-Games-full-downloader"
The total list of filenames contains over 2000 entries. Apparently this
list has been created by monitoring most popular searches being made in the
Kazaa network. The size of the shared infected files varies between 200 and
800 kB. These files always .EXE or .SCR extension, but it has often been
hidden by prepending dozens of space characters between the filename and
the extension.
:confused: :confused: :eek:


#2

That sucks. I really dont see the point in spreading that worm. I dont really see the benefit of these worms for the messed up guy who created that garbage, they just break down the barrier of trust that is held between people when sharing files. The whole p2p system is based on trust, and when something like this is released, it really pisses me off.


#3

you are right file sharing systems are based on trust if we can’t trust each other sharing will die. It could be a conspiracy by those RIAA goons spreading the fear to break the trust, file sharing app’s like kazaa are already fighting a battle in the court. I don’t think they will ever be able to shut down kazaa cause its a distributed network with no central server so nobody can control it. :wink:


#4

It is a worm made by the BSA

Only people who tend to share a LOT will get it.


#5

Only people who tend to share a LOT will get it.

mr belvadere thats not the case i installed kazaa 3 days ago and the second time i tried to download something the AVG screen popped up saying worm/benjamin detected.


#6

worm can only install if infected file is executed. try not to download .exe files, always check file extension and file size before u click an mp3 should have a .mp3 extension. be careful:rolleyes:


#7

Damn viruses. I saw some of those “full downloaders” and they made me instanteous suspicious and did not downloads any of them.

Common sense would tell you not to execute something that you had no idea what it was.


#8

All of your problems with kazaa will be solved by using kazaa lite. Kazaa lite is a ‘modified’ version of kazaa.
Here are some specs of kazaa lite.

Differences with the original kazaa

  • No Adware
  • No Spyware
  • No banners
  • No bitratelimit for mp3 files
  • No irritating websites loaded into KaZaA (when using supertrick)
  • No Brilliant Digital software included (Altnet / BDE / B3d)
  • No Bonzi Buddy
  • Set up multiple users with the included PseudoTrack tool
  • Includes a tool for accelerating downloads

To get kazaa lite visit http://kazaalite.com or http://k-lite.tk

Have a good one and i hope this will solve all your kazaa problems. :bigsmile:


#9

I use kazaa lite. I can still download and run the worm. :frowning:


#10

I have Downloaded 10 of those ‘Full Downloaders’ for something to do, I also was very suspicious.
6 of them were the W32.Benjamin. Worm, the other 4 were the W32.DSS. Trojan.
They seem to be limited to files smaller than 1.5 Mb and as mentioned earlier have the extensions .EXE or .SCR

Portmac


#11

Apparently the new Kazaa version is supposed to solve the whole Benjamin thing. Personally, I dont trust them and this just shows the importance of having da good AV and/or trojan scanner on your computer.


#12

Hey the way i see it, you cant run through life paranoid. Just update your Antivirus and have fun online. Who ever started it just wanted us to not trust KaZaA.

(Which isnt good cause besides audiogalaxy, KaZaA is the only good file sharing system i mean look at the “new” Morpheus)


#13

:a

ok its not kazza but for you who have posted a response above i thought you should see this SOB.

F-Secure Virus Descriptions
Radar Alert LEVEL 2
NAME: Frethem
ALIAS:
THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER F-SECURE RADAR.
For more information, see: http://www.F-Secure.com/products/radar/
Frethem is a mass-mailer worm that started to spread on June 11th. There are six different variants known so far (A-F). The worm arrives in an e-mail as an attachment. When the attachment is opened it copies itself to the user’s Startup folder as ‘setup.exe’. After the installation it collects e-mail addresses from the Windows Address Book and files with ‘*.DBX’ extensions. It uses it’s own SMTP engine to send infected messages. All the information needes to send e-mail is collected from the registry. The worm uses the user’s account data that includes the SMTP server name, e-mail address, etc. This way the infected message will look like it was sent by the user.

VARIANT: Frethem.A

The message sent by Freethem.A looks like this:

Subject: Re: Do your Windows looks like Windows XP?
I have found very nice desktop themes!

Body:

Hello!

Do you like modern design of new Windows XP?! I have found FREE
and easy to use desktop themes!

You can open attach with web site and samples! Enjoy it!!!

Attachment: www.freethemes.com

VARIANT: Frethem.E

Messages sent by Freethem.E look like this:

This variant uses one MIME vulnerabilty in Internet Explorer to execute the attachment automatically when the e-mail is opened. This vulnerability is fixed and a patch for it is available on Microsoft site:

http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp

Removal

All the known variants of Frethem copy themselves to the user’s startup folder as ‘setup.exe’ and introduce no other changes in the system configuration. This makes the removal easy. The worm can be killed from the task manager, the process is called ‘Setup’. After this the worm can be deleted from the Startup folder.

F-Secure Anti-Virus Database Information

Detection in F-Secure Anti-Virus was published on June 13th, 2002:

[FSAV_Database_Version]
Version=2002-06-13_02

[Analysis: Gergely Erdelyi ; F-Secure Corp.; June 13th, 2002]

Anti-Virus Trials
F-Secure Radar
Virus Screen Shots
Disable VBS
Avoiding Computer Worms
Virus Glossary