May 20, 2002 4:10 PM PDT
Kazaa worm adds sour note to file swaps
Posing as popular song and movie files, the Benjamin worm aims to infect Kazaa users' PCs by tricking them into downloading a phony media file to their computer and opening it.
"It is very difficult right now to say how widespread it will be, but we are very worried about this worm (proliferating) in the Kazaa network," said Denis Zenkin, head of corporate communications for Moscow-based Kaspersky Labs.
Already, victims are reporting cases of infection.
After downloading a file that apparently had been corrupted, Theo Meyer of South Africa told CNET News.com that his PC slowed to a near standstill, with the worm consuming almost 100 percent of the processor cycles.
Another user reported that the worm filled up the space on his C drive and then proceeded to crash the computer. Finally, Dayton, Ohio, resident Gary Detherage said his son had downloaded the worm from the Kazaa network, but that his antivirus program caught it and quarantined it.
"It was simple to get rid of," Detherage wrote in an e-mail to CNET News.com. "I had it gone (in) a couple of minutes."
Because the worm poses as any of thousands of different files, and varies with the size of the file, it may be hard for a Kazaa user to discern which files on the network are real and which are infected. In addition, the worm does little but store copies of itself on a PC, and besides the change in hard-drive space, Zenkin worried that most users wouldn't detect it.
To date, though, few reports of the worm have surfaced.
Kaspersky Labs has seen just two: one involving a Kazaa user from Germany and another involving a Kazaa user from Mexico. Other antivirus software makers have said they're aware of only a handful of infections by the worm.
"It is only users of Kazaa that can be infected, and we are seeing very few," said Kevin Haley, group product manager with security company Symantec's security response team. But while it's unknown how many people use the Kazaa network, there have been more than 74 million downloads of the client from CNET's Download.com.
A representative of Sharman Networks, the makers of Kazaa, could not be reached for comment.
The Benjamin worm spreads to a computer after the PC owner downloads a fake file from another infected user over the Kazaa network. Once opened, the worm brings up a dialog box claiming that an error has occurred as a result of file corruption.
In reality, the worm works in the background and creates a new directory called "Sys32" in the Windows Temp folder, which it sets as an upload directory for Kazaa. It then fills the new directory with files of various sizes, each containing a copy of the worm and labeled with a name chosen randomly from a list carried by the 216KB Kazaa program.
Then the worm waits for other users on the Kazaa network to download the infected files. Because Kazaa only runs on Microsoft Windows systems, the worm only infects Windows computers.
Benjamin also attempts to show pop-up ads from a Web site in Germany. However, the site has since been closed "due to massive abuse," according to a message posted there.
The worm appears to do no other damage to infected systems.
Benjamin is not the first attempt at infecting file-swapping networks. A virus written in Microsoft's Visual Basic Script infected some users of the Gnutella network more than a year ago.