SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Benjamin

MEDIUM
LOW
variable
(Worm.Kazaa.Benjamion (KAV))

Symptoms

- The message box shown bellow:




- The following registry key:
System Service with value C:\Windows\System\explorer.scr
in

HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

- a lot of exe and scr
files with names of movies, songs, and known software applications in Windows\Temp\Sys32 directory.

Removal instructions:

Important: You will have to close all applications before running the
tool (including the antivirus shields) and to restart the computer afterwards.
Additionally you'll have to manually delete the infected files located in archives
and the infected messages from your mail client.

The BitDefender AntiBenjamin tool does the following:
- it detects Win32.Worm.Benjamin;
- it deletes the files created by Win32.Worm.Benjamin;
- it kills the process from memory;
- it repairs the Windows registry.

Analyzed By

Sorin Victor Dudea BitDefender Virus Researcher

Technical Description:

When an user runs the worm it will display the message box above.
After that the worm creates two registry keys:

System Service with value C:\Windows\System\explorer.scr
in

HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and

syscod with value 0065D7DB20008306B6A1
in

HKEY_LOCAL_MACHINE\Software\Microsoft.


Next it will create a copy of itself in %System%\explorer.scr
and a lot of copies with names of movies songs and known software applications
in C:\Windows\Temp\Sys32.
If Kazaa is installed it will change the share folder to C:\Windows\Temp\Sys32
so if an user from the Kazaa network searches for a file with name close
to the names of files the worm creates in Temp\Sys32
it will found an infected file:


The worm opens the Internet explorer at the following URL:
benjamin.xww.de
Antivirus Software For Home Users
Business Security Solutions
Latest News
Tools & Resources