McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• BackDoor-AEG

• TROJ_FILLHDD.A (Trend)

• Trojan.Filler (MkS_vir)

• W32.Benjamin.Worm (NAV)

• W32/Kazoa (Panda)

• Win32.Worm.Benjamin.A (Softwin)

• Win32/Benjamin.worm (RAV)

• Win32/Kazaa.Benjamin worm (ESET)

• Worm.Kazaa.Benjamin (AVP)

Characteristics

This threat is considered a Low-Profiled risk as it is not wide-spread and has gotten media attention.

When this worm is run, it copies itself to %WINDIR%\SYSTEM\EXPLORER.SCR, where %WINDIR% is the directory Windows is installed in. Then it adds the registry key:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run\SystemService=%WINDIR%\SYSTEM\EXPLORER.SCR

To spread, the worm requires that the Kazaa software is installed on the machine. It creates a directory called %WINDIR%\TEMP\SYS32, and changes the Kazaa settings so that remote users can download from this directory. Then it copies itself to that directory under many different names which other users may search for. The size of these files can vary since the worm pads them with garbage bytes. This method of spreading is comparable to the VBS/GWV worm.

Symptoms

• Presence of EXPLORER.SCR and registry key pointing to it.
• Presence of %WINDIR%\TEMP\SYS32 and many files inside.

Method of Infection

Since this worm offers itself over the Kazaa network under names that users may find tempting, users who are not infected may download and run the worm from infected machines, and thus spread the worm themselves.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• BackDoor-AEG

• TROJ_FILLHDD.A (Trend)

• Trojan.Filler (MkS_vir)

• W32.Benjamin.Worm (NAV)

• W32/Kazoa (Panda)

• Win32.Worm.Benjamin.A (Softwin)

• Win32/Benjamin.worm (RAV)

• Win32/Kazaa.Benjamin worm (ESET)

• Worm.Kazaa.Benjamin (AVP)

Characteristics

Characteristics -

This threat is considered a Low-Profiled risk as it is not wide-spread and has gotten media attention.

When this worm is run, it copies itself to %WINDIR%\SYSTEM\EXPLORER.SCR, where %WINDIR% is the directory Windows is installed in. Then it adds the registry key:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run\SystemService=%WINDIR%\SYSTEM\EXPLORER.SCR

To spread, the worm requires that the Kazaa software is installed on the machine. It creates a directory called %WINDIR%\TEMP\SYS32, and changes the Kazaa settings so that remote users can download from this directory. Then it copies itself to that directory under many different names which other users may search for. The size of these files can vary since the worm pads them with garbage bytes. This method of spreading is comparable to the VBS/GWV worm.

Symptoms

Symptoms -

• Presence of EXPLORER.SCR and registry key pointing to it.
• Presence of %WINDIR%\TEMP\SYS32 and many files inside.

Method of Infection

Method of Infection -

Since this worm offers itself over the Kazaa network under names that users may find tempting, users who are not infected may download and run the worm from infected machines, and thus spread the worm themselves.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A