The worm is written in Borland Delphi and is about 216 kilobytes long. The worm's file is compressed with ASPack file compressor. Besides the worm uses a decoy - it appends random data to its end that increases its size 2-3 times.
When the worm's file is started, it shows a fake error message:
Error
Access error #03A:94574: Invalid pointer operation
File possibly corrupted.
Then it copies itself into Windows System directory as EXPLORER.SCR and creates two keys in the System Registry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"System-Service"="C:\\WINDOWS\\SYSTEM\\EXPLORER.SCR"
[HKEY_LOCAL_MACHINE\Software\Microsoft]
"syscod"="0065D7DB20008306B6A1"
This way the worm makes sure that it is always run when Windows is started.
The worm spreads only from and to computers where KaZaa network clients are installed. The worm reads the settings of the KaZaa client from the System Registry, creates the directory named \Sys32\ in Windows Temp folder and makes this directory visible to all clients of Kazaa network.
The worm then fills this directory with its copies with various names which are taken from the list inside the worm's body. The list contains numerous titles of pupular software, movies, games and music, and some commonly used search words. For example this is only the part of the list with titles starting with 'A' letter:
...
A.I-Artificial Intelligence- divx -full-downloader
A.I-Artificial Intelligence- Filme -full-downloader
ABeautifulMind
AbsoluteZero-installer
acdsee4
ACDSeePowerPackRetail-installer
Adobe InDesign 2.0 Build 416 -full-downloader
Adobe Pagemaker -full-downloader
Adobe Photoshop 6.0 -full-downloader
Adobe Photoshop update (6.1) -full-downloader
Adobe-Streamline-installer
Adress Genie 4.0-full-downloader
After Dark Deluxe-Bildschirmschoner-full-downloader
Age of Empires 2- Games -full-downloader
Age of Empires 2 Gold +Strat.Comm.-Games-full-downloader
Age of Empires 2 Gold +Strat.Comm.-Spiel-full-downloader
Age of Empires 2-Spiel-full-downloader
Age of Empires Screensaver
Age of Empires-Games-full-downloader
Age of Empires-spiel-full-downloader
Age of Mythology - Games -full-downloader
Age of Mythology (Beta) -full-downloader
Age of Mythology-installer
Age of Wonders II The Wizard#39s-installer
Airxonix -full-downloader
AirxonixGeschicklichkeit
Alarm Stufe Rot 2 -full-downloader
Alarm Stufe Rot 2 Yuris Rache -full-downloader
Alfred Hitchcock - The Final Cut - Games -full-downloader
Alice-full-installer
Alien vs. Predoator 2-Games-full-downloader
Alien vs. Predoator 2-Spiel-full-downloader
Aliens versus Predator 2 -full-downloader
Aliens Versus Predator 2-installer
Aliens versus Predator -full-downloader
AliZaoua
All Serials
All Serialz
Allout-Games-full-downloader
Almost Famous-Komödie-Filme-full-downloader
American McGee#39s Alice-Games-full-downloader
American McGee#39s Alice-spiel-full-downloader
American Pie 2 -divx-full-downloader
American Pie 2- Filme -full-downloader
American Pie 2-divx-full-downloader
American Pie -divx-full-downloader
Anam
Anarchy Online-Games-full-downloader
Anarchy Online-Spiel-full-downloader
Animal
Anno 1503 (Beta) -full-downloader
Anno 1503- Games -full-downloader
Anno 1503-Spiel-full-downloader
Anno 1602 Königs Edition Classic- Games -full-downloader
Anno 1602 Königs Edition Classic-Spiel-full-downloader
Anstoss 3 -full-downloader
Anti Hacker-Program 2002-full-downloader
Appz
Aquanox -full-downloader
aquanox-full-downloader
Aquanox-full-instaler
ArmySargeHero
ARX Fatalis-installer
ARXFatalis
Asheron#39s Call 2-installer
Assessment Center-full-downloader
Astalavista
AsterixundOberlix
...
The worm spreads the following way: a KaZaa network user searches for any file (for example the file that has 'game' string in its file name) in the KaZaa network and finds it on the list of accessible files from an infected computer. He downloads this file and starts it, thus infecting his own machine.
The worm opens benjamin.xww.de Web-site to view an advertisement. |
