VIRUS
NAME : W32/Benjamin.worm
Internet
Worm Characteristics
This threat is considered
a Low-Profiled risk as it is not wide-spread and has gotten media attention.
When this worm is run, it copies itself to %WINDIR%\SYSTEM\EXPLORER.SCR,
where %WINDIR% is the directory Windows is installed in. Then it adds
the registry key:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\SystemService=%WINDIR%\SYSTEM\EXPLORER.SCR
To spread, the worm
requires that the Kazaa software is installed on the machine. It creates
a directory called %WINDIR%\TEMP\SYS32, and changes the Kazaa settings
so that remote users can download from this directory. Then it copies
itself to that directory under many different names which other users
may search for. The size of these files can vary since the worm pads them
with garbage bytes. This method of spreading is comparable to the VBS/GWV
worm.
Symptoms
Presence of EXPLORER.SCR and registry key pointing to it.
Presence of %WINDIR%\TEMP\SYS32 and many files inside.
Method
Of Infection
Since this worm offers itself over the Kazaa network under names that
users may find tempting, users who are not infected may download and run
the worm from infected machines, and thus spread the worm themselves.
|
