[ISN] Its Creator Says Kazaa Benjamin Worm Means Well

From: InfoSec News (isnat_private)
Date: Tue May 21 2002 - 02:29:45 PDT

  • Next message: InfoSec News: "[ISN] Hacker losses rocket"

    http://www.newsbytes.com/news/02/176684.html
    
    By Brian McWilliams, Newsbytes
    MUNICH, GERMANY
    20 May 2002, 2:20 PM CST
     
    The creators of a new worm that targets users of the Kazaa
    file-trading network say they released the code to frustrate Internet
    users searching for pirated software and child pornography.
    
    Anti-virus software vendors have issued warnings that the so-called
    "Benjamin worm" is being unintentionally propagated among Kazaa users
    who download any of dozens of executable programs and screen savers
    that have been infected with the malicious code.
     
    According to one of its developers, Paul Komoszki, Benjamin is a
    "controlled test" of a program designed to disrupt the illegal
    exchange of copyrighted data and child porn over peer-to-peer
    networks.
    
    "We do not want to affect the exchange of legal programs and legal
    music files. Only users who are looking for and sharing copyrighted
    files could be infected," said Komoszki in an e-mail interview today.
    
    Once it infects a Kazaa user's computer, Benjamin creates numerous
    copies of itself under file names that may be of interest to other
    Kazaa users, according to anti-virus firms. Examples include
    borlanddelphi-full-downloader.exe and Braveheart-Special
    Edition-divx.exe, according to Kaspersky Labs.
    
    "After a few months it could be that there are more Benjamin files in
    p2p networks than warez files ... Within a few days Benjamin has
    spread very far in these illegal networks," said Komoszki.
    
    After creating a special directory on a victim's computer and filling
    it with infected files, Benjamin contacts a Web site in Germany to
    display a pop-up advertisement, Kaspersky said.
    
    The site, operated by Komoszki, has been disabled "due to massive
    abuse" according to a message at the page today.
    
    According to Komoszki, the pop-up was intended to generate income for
    the malicious program's creators and to fund the "advancement" of
    future versions of the software.
    
    Kazaa representatives did not respond to requests for information.
    
    Kazaa users can protect themselves from executable programs that
    contain Trojan horses by specifying that file types such as exe, scr,
    and vbs be excluded from their search requests.
    
    Kaspersky's write-up on Worm.Kazaa.Benjamin is at
    http://www.viruslist.com/eng/viruslist.html?idI790
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue May 21 2002 - 05:04:09 PDT