ZDNet UK

• CNET NETWORKS UK BUSINESS SITES:
• atlarge.com
• BNET UK
• silicon.com
• SmartPlanet.com
• ZDNet.co.uk

KWBot worm hits Kazaa

• Tags:
• Kazaa Worm,
• Gnutella,
• RIAA,
• Kazaa

Matt Loney ZDNet.co.uk

Published: 05 Jul 2002 15:19 BST

• 
• 
• 
• 
• 

The Kazaa file-swapping network has been hit by another worm, just months after the first such attack, according to antivirus vendors.

Antivirus company Sophos said it had received several reports of the KWBot worm in the wild. KWBot appears to be the second worm to hit the Kazaa network, which fell prey to Benjamin worm in May.

KWBot spreads in a similar way to Benjamin, by altering Windows registry keys and then disguising itself as files that are likely to prove popular with file-swappers. It makes particular use of the names of movies and applications. When first executed the worm copies itself to the Windows system folder as xplorer32.exe, said Sophos. It will then create two registry entries so that the copy is run each time Windows is started.

The worm may also allow attackers to gain control of an infected computer using commands transmitted over Internet Relay Chat, said Sophos.

Kazaa is not alone among file-swapping networks that have been targeted by virus writers. The Gnutella file-swapping network was hit by a proof-of-concept worm in February.

There have also been threats from other quarters. In April, a bug was found in the popular Winamp software for playing digital music files could allow an attacker to embed malicious code into an MP3 file, potentially damaging the user's PC and infecting other MP3s.

And the music industry recently began planting "decoys" on free peer-to-peer services in its fight against online piracy, according to sources. This practice, known as "spoofing", entails the hiring of companies to distribute "decoy" files that are empty or do not work in order to frustrate would-be downloaders of movies and music.

Overpeer, a New York-based software firm funded by South Korea's SK Group, is understood to be one of the firms helping the industry disguise online files to thwart unauthorised swapping.

Examples of filenames used by the KWBot worm are:

• Star Wars Episode 2 - Attack of the Clones VCD CD1.exe
• Spiderman The Movie - The Game.exe
• Grand Theft Auto 3 CD1 ISO.exe
• ZoneAlarm Firewall Pro.exe
• Windows XP Professional iso.exe
• Unreal Tournament cracked (works on all servers).exe
• University Study Guide (cheat sheet).exe
• Quicken Pro 2002 iso.exe
• Perl Ultimate Study Guide.exe
• Office XP Corporate Ed. iso.exe
• Norton Utilities 2002.exe
• Microsoft Visual C++ 7.0 iso.exe
• MCSE Ultimate Study Guide.exe
• Max Payne full iso.exe
• Macromedia Flash 5.exe
• Kazaa Advertisement Ad remover.exe
• DSL Anonymizer.exe
• DoS Attacker.exe
• DivX Codec 6.0 beta (codec only).exe
• Credit Card number generator VERIFIER (cc cc#).exe
• cows gone wild.exe
• 100 XXX Passwords (verified 3-24-02).exe

Sophos has a virus identity file that includes a fix for the KWBot virus here.

---

• 
• 
• 
• 

• Share this article:
• 
• 
• 
• 
• 

• Most Recent
• Most Popular
• Most Discussed