Virus Profile: W32/Benjamin.worm

Threat Search

Virus Profile information details
Risk Assessment:	Home Low-Profiled \| Corporate Low-Profiled
Date Discovered:	5/16/2002
Date Added:	5/20/2002
Origin:	Germany?
Length:	varies
Type:	Virus
Subtype:	Internet Worm
DAT Required:	4204
Removal Instructions

Overview
Virus Characteristics
Removal Instructions

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Presence of EXPLORER.SCR and registry key pointing to it.
Presence of %WINDIR%\TEMP\SYS32 and many files inside.

Methods of Infection

Since this worm offers itself over the Kazaa network under names that users may find tempting, users who are not infected may download and run the worm from infected machines, and thus spread the worm themselves.

Aliases

BackDoor-AEG, TROJ_FILLHDD.A (Trend), Trojan.Filler (MkS_vir), W32.Benjamin.Worm (NAV), W32/Kazoa (Panda), Win32.Worm.Benjamin.A (Softwin), Win32/Benjamin.worm (RAV), Win32/Kazaa.Benjamin worm (ESET), Worm.Kazaa.Benjamin (AVP)

View Virus Characteristics

Virus Characteristics

This threat is considered a Low-Profiled risk as it is not wide-spread and has gotten media attention.

When this worm is run, it copies itself to %WINDIR%\SYSTEM\EXPLORER.SCR, where %WINDIR% is the directory Windows is installed in. Then it adds the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\SystemService=%WINDIR%\SYSTEM\EXPLORER.SCR

To spread, the worm requires that the Kazaa software is installed on the machine. It creates a directory called %WINDIR%\TEMP\SYS32, and changes the Kazaa settings so that remote users can download from this directory. Then it copies itself to that directory under many different names which other users may search for. The size of these files can vary since the worm pads them with garbage bytes. This method of spreading is comparable to the VBS/GWV worm.

Back To Overview View Removal Instructions

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations