ZDNet UK

• CNET NETWORKS UK BUSINESS SITES:
• atlarge.com
• BNET UK
• silicon.com
• SmartPlanet.com
• ZDNet.co.uk

Worm crawls into Kazaa network

• Tags:
• Kazaa Worm,
• Benjamin Worm,
• Benjamin Virus,
• Sharman Networks

Matt Loney ZDNet.co.uk

Published: 20 May 2002 11:51 BST

• 
• 
• 
• 
• 

The Kazaa file-swapping network has been hit by a virus, according to security experts.

The Kazaa network is one of the most popular file-exchange networks, with more than 81 million copies of its client downloaded to date, according Sharman Networks, the company that developed the service.

Security software firm Kaspersky Labs said the worm, called "Worm.Kazaa.Benjamin", is the first malicious program to spread through the Kazaa file exchange network, although Gnutella was hit by a proof-of-concept worm in February.

The Benjamin worm was reported to Kaspersky Labs on Saturday. "In terms of data destruction it is not very dangerous," said Kaspersky spokesman Denis Zenkin. "It does not erase any information, but eats up space on your hard disk and it jams the data transmission channels. It becomes harder for the Kazaa network users to communicate because lots of infected data is being placed in their hard drives, and if you look for a game you are likely to be offered a copy of the virus instead."

Benjamin spreads by creating a directory that is accessible to other users of the Kazaa network. It makes numerous -- possibly thousands -- copies of itself in this directory, using many different names from a list contained in the body of the worm. When a network user conducts a search for a file under a name corresponding with one the worm's pseudonyms, the unsuspecting user is given the chance to download it from the infected computer.

When it is downloaded, Benjamin displays a false error report, warning the user that the file is possible corrupted, but then goes on copy itself into the system directory and creates two keys in the system registry.

As well as eating up free disk space, said Kaspersky, Benjamin opens a Web page, called benjamin.xww.de to display banner ads. On Monday morning the Benjamin.xww.de Web site had a message saying: "Domain closed due to massive abuse."

Benjamin is written in Borland Delphi and is approximately 216KB in size - it is compressed by the AsPack utility. The size of a file can vary greatly as the worm ends each file with random data -- called "dust" -- for masking. But, said Zenkin, is can be removed relatively easily by deleting the infected files. Antivirus software vendors such as Kaspersky Labs have already updated their products to detect it, he added.

Sharman Networks could not immediately be reached for comment.

---

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit

• Most Recent
• Most Popular
• Most Discussed