Thanks mxxcon for the heads up on this one from BPN Forum. This worm uses the Kazaa file exchange P2P network to spread itself. The Kazaa network allows its users to exchange files with each other using the Kazaa client software. To learn more about the Kazaa network visit their site at: https://www.kazaa.com.
Benjamin is written in Borland Delphi and is approximately 216 Kb in size - it is compressed by the AsPack utility. The size of a file can vary greatly as the worm ends each file with "dust" for masking.
Install
Firstly the worm shows a false error report:
Access error #03A:94574: Invalid pointer operation
File possibly corrupted.
[ OK ]
It copies itself to the %WinDir%SYSTEM directory as: EXPLORER.SCR.
Benjamin then creates two keys in the system registry:
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun] "System-Service"="C:WINDOWSSYSTEMEXPLORER.SCR"
[HKEY_LOCAL_MACHINESoftwareMicrosoft] "syscod"="0065D7DB20008306B6A1"
The worm executes after system restarts.
News source: Viruslist.com
