Kazaa Worm

Printable View

May 19th, 2002, 09:14 AM
AttaGirl42

Kazaa Worm

I read an earlier post regarding the worm Benjamin. I ran a complete scan with my virus program and I saw all kinds of files I knew I had never downloaded. Well, I ran a search and deleted them but with each re-boot, they re-appear. I run 98 second edition and I have downloaded music from Kazaa. I went to the page telling about this worm, but it did not give any advice on how to remedy the problem. My machine is running fine, but I would like to get rid of it. My virus checker did not pick it up at all. Any advice would be greatly appreciated!

Thanks and Have a great day!

Leigh Ann
Lawrence, Kansas
May 19th, 2002, 09:37 AM
Kleinkramer

The article does tell you what files and registry keys this worm creates, which in turn means we also know where to go in order to remove them.

The first thing to do is check for a file called EXPLORER.SCR

If you have this file in your Windows\System folder, you have the worm.

If you don't, you haven't got it.
May 19th, 2002, 10:14 AM
Tufenuf

Leigh Ann, The info below may be of some help to you.

Found this on another board.
Bones
A nasty little IRC bot trojan that manages to sneak by Norton AV and Trend Micro with the latest definitions.
It appears to act as a fileserver for warez, and promptly filled up all available space on your C: partition with partial (600K) files (warez, mp3, avi, etc). This will put a new line in registry calling C:\WINDOWS\SYSTEM\EXPLORER.SCR and the warez files will all go into C:\WINDOWS\TEMP\sys32. If you experience similar symptoms, the remedy seems to be to disconnect your PC from the net (stops the steady stream of files coming in). Remove the line from your registry, delete the EXPLORER.SCR, and restart the machine. Then delete the \TEMP\sys32 folder (you won't be able to until after restart, the folder is "in use" and causes a sharing violation if you try to delete it while the trojan is running).
May 19th, 2002, 09:15 PM
AttaGirl42

I want to thank everyone for their replies to my question and problem earlier today. I'm needing a little more help however. I'm not really computer savvy when it comes to deleting items from my registry. I would like for someone to give me a really simple and easy way to delete the registry entries for this little monster worm. Sorry for asking so many questions but I'm afraid of deleting the wrong things.

Thanks for your time! It really is appreciated!

Leigh Ann
May 20th, 2002, 04:24 AM
Kleinkramer

Leigh Ann,

This really isn't hard.

Do this:

Go to Start > Run > Regedit.
The Registry Editor will open, and you'll see a Windows Explorer type interface.
Just click the little +-ses to expand a branch, just like you're used to.

Navigate to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run folder (or subkey, which in fact it is).

Click the Run subkey once in order to display its contents in the Right hand pane.

You'll see an entry (a registry value) "System-Service"="C:\WINDOWS\SYSTEM\EXPLORER.SCR" there

Highlight this value "System-Service" in the right pane, and hit 'delete'.

Close Regedit, and you're done.

Restart your computer.

Now delete C:\Windows\System\Explorer.scr, and also delete the Sys32 folder in your Windows\Temp directory.

Good luck, Tony
May 20th, 2002, 01:51 PM
kenlinzee

with the RIAA hating file sharing as much as they do, i would not doubt that they paid a virus writer or two just to make these worms\virus' sepecially for file sharing apps like Kazaa\WinMX and the rest...

the RIAA is worried that people sharing files is cutting in to their profits...

------------------
end
May 20th, 2002, 02:24 PM
fink

I work in the engineering side of the music business and I've been told numerous times that there are many record company execs activley pursuing file sharing based viruses. They *really* want an exploit that will infect mp3's. In fact one President of a very well known Canadian record company told me personally that he's paid a couple of people to look into it.

As a side note I've also been told that the record companies are actively supporting Bell Sympatico Hispeed's recent decision to install bandwidth caps on their service to try and cut down on music downloads.
May 21st, 2002, 06:15 PM
AttaGirl42

Thanks everyone for all your help! The worm is now dead! yippeeee!!! My computer is free of it and I couldn't have done it without your simple easy to follow directions! Thanks!

------------------
Leigh Ann (AttaGirl42)