TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_BENJAMIN.A
Overview
Solution
Technical Details

Size of malware: ~330,000 Bytes

Initial samples received on: May 16, 2002

Payload 1: Creates Files (fills infected systems with altered malware copies)

Payload 2: Slows down network connection

Payload 3: Displays Message (error message)

Details:

Kazaa Propagation

Upon execution, this worm creates the following folder:

%Windows%\Temp\sys32,

*where %Windows% is the Windows directory, which is usually C:\Windows or C:\WINNT.

It then designates the folder as the default sharing folder for the Kazaa client software. In the folder, it drops copies of itself with different filenames and copies that are padded with data, such that the sizes of these dropped files vary. These dropped files are also detected by Trend Micro as WORM_BENJAMIN.A

Some of the dropped files are corrupted copies that cannot be processed accordingly and do not pose any threat to infected systems. Also, a significant portion of the headers of these corrupted files are damaged, therefore antivirus software are unable to identify them.

Installation

It adds the following registry entry so that it executes automatically at every Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
System-Service = "%System%\EXPLORER.SCR"

*where %System% is the Windows system directory, which is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP.

It also adds the following registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft
syscod = "<worm generated set of characters>"

This generated set of characters serves as a guest ID for the infected machine when connecting to a certain remote site. It also serves as the worm's marker.

Payloads

This worm stays in memory to continuously process its destructive payload, which is to fill an infected user's hard disk drive for as long as Windows permits the creation of files.

This malware also executes some form of denial of service (DoS)attack when it repetitively connects to a certain remote site. When connecting to this remote site, this worm sends out the infected user's guest ID. On the other end, a malicious listener may counts the number of times the infected system has made a ping on the remote server.

Other Details

A common hiding technique is employed by this worm when it uses the multimedia or the screensaver icon. It also hides itself from the task list. On systems running Windows 9x, this worm is invisible in the Close Program dialog, which opens when the CTRL+ALT+DEL key combination is pressed.

This worm displays an error message with the following text strings:

Access error #03A:94574:Invalid pointer operation
File possible corrupted.


For additional information about this threat, see:
Overview
Solution

Search a new malware

Tell us how we did. Take our quick survey.