It's all about the Benjamin

[[gg]Daedalus]

I got the Benjamin virus from Kazaa. I didn't know what it was, but I noticed my file transfers wen't from 60-100kps to 2-20kps.
Also, I noticed that my Kazaa "connected as" menu said I was sharing 4391 file, when I was only sharing 77. Ouch. System Suite 4.0 Anti virus showed nothing, so I did a little more investigation. I located some of the files supposedly shared, they were fake screen savers, all copies of the virus, mostly named as band names with a file extension .scr .exe
Yes, that many spaces included. It imbeds itself in to the temp folder in a sub folder called Sys32, therefore it won't be searched out by a usual Windows search. It can be deleted, and there seemed to be no trace of it. Until I noticed a very odd file running in the Task Manager. Explorer.scr was yet another clone of Benjamin. It was actually in C:\WINDOWS\SYSTEM! Deleted that one.

Things to watch out for:

A fuzzy Windows Media Player-Icon-bearing file
A huge sum of files being shared in Kazaa.
A second explorer running in task manager
The sys32 folder in C:\Windows\Temp with a lot of those fuzzy icons
A file that didn't work after download. Check Task Manager (CTRL-ALT-DELETE) for that same file running.

Make sure to download your latest virus definition packs for you AV software!

[posthumous_GRIN]

Originally posted by [gg]Daedalus
I got the Benjamin virus from Kazaa. I didn't know what it was, but I noticed my file transfers wen't from 60-100kps to 2-20kps.
Also, I noticed that my Kazaa "connected as" menu said I was sharing 4391 file, when I was only sharing 77. Ouch. System Suite 4.0 Anti virus showed nothing, so I did a little more investigation. I located some of the files supposedly shared, they were fake screen savers, all copies of the virus, mostly named as band names with a file extension .scr .exe
Yes, that many spaces included. It imbeds itself in to the temp folder in a sub folder called Sys32, therefore it won't be searched out by a usual Windows search. It can be deleted, and there seemed to be no trace of it. Until I noticed a very odd file running in the Task Manager. Explorer.scr was yet another clone of Benjamin. It was actually in C:\WINDOWS\SYSTEM! Deleted that one.

Things to watch out for:

A fuzzy Windows Media Player-Icon-bearing file
A huge sum of files being shared in Kazaa.
A second explorer running in task manager
The sys32 folder in C:\Windows\Temp with a lot of those fuzzy icons
A file that didn't work after download. Check Task Manager (CTRL-ALT-DELETE) for that same file running.

Make sure to download your latest virus definition packs for you AV software!

Ya, i got this nasty little bugger over the weekend as well. I may end up formatting at some point in the near future cause I never know whether I totally got rid of the thing and you could end up with problems down the line...oh well, this is the price you got to pay for free software i guess...

[[gg]Daedalus]

Actually I know for a fact it's gone. McAfee & SystemSuite4.0 both have updated their virus definitions recently. I use them both on different machines. I'm sure Symantec has updated too, but I don't use it anymore.

It's really not that malicious of a virus. I believe it's gone, but if you have that need to be sure, then go with it.

[bassman]

Nothing like a "always-running-fully-updated-scanning-everything" antivirus