Home / malware Win32.Worm.Benjamin
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Worm.Benjamin is also known as Worm.Kazaa.Benjamion, (KAV.
Explanation :
When an user runs the worm it will display the message box above.
After that the worm creates two registry keys:
System Service with value C:WindowsSystemexplorer.scr
in
HKEY_LOCAL_MACHINE\SOFTWAREMicrosoftWindowsCurrentVersionRun
and
syscod with value 0065D7DB20008306B6A1
in
HKEY_LOCAL_MACHINESoftwareMicrosoft.
Next it will create a copy of itself in %System%explorer.scr
and a lot of copies with names of movies songs and known software applications
in C:WindowsTempSys32.
If Kazaa is installed it will change the share folder to C:WindowsTempSys32
so if an user from the Kazaa network searches for a file with name close
to the names of files the worm creates in TempSys32
it will found an infected file:
The worm opens the Internet explorer at the following URL:
benjamin.xww.deLast update 21 November 2011
