kazaaworm.exe

[Titch]

I am trying to fix a PC for a customer.

Whenever a user logs onto their Windows XP profile a DOS box opens open and
scrolls the message "im a worm! hehehe". In the window title bar is
"kazaaworm.exe".

There is a file in C:\Windows called kazaaworm.exe, which even when deleted
returns to this location.

Norton AV will not run now, taskbars have either disappeared, or do not show
running applications (need to use task manager to switch).

Have searched www.symantec.com and Google and there is NO reference to this
that I can see.

Can anyone out there help at all? If there is no fix out there and I need to
do a system rebuild then fine, but I would love to understand more about
this one first!!!!!

TIA

Jon

JABEL Computers

 

[Michael Hobbs]

I have not heard of this one either, but here is what I would do: In XP go
to under Contol Panel| System|System Restore and uncheck it. Click ok.
Reboot and start the computer in minimal mode. ( the exact terminology
excapes me at the momen) then I would run a system scan w. NAV. following
whatever instructions there were for whatever it found. Reboot into xp and
scan again.
Also........ reaching for the bottom of the barrel, is this some type of
bot? Just for the heck of it I would run a currently updated copy of
Spybot.
Hopefully others will respond with more.

 

[Duh!]

I found a bit out about it for you! The solution is here!--->
http://www.bitdefender.com/html/free_tools.php?menu_id=20&letter=&page=2 on
this page! hope this helps

<snip>

Kazaa Worm

By Becky Worley, Tech Live

A new worm is spreading through the KaZaA file-sharing service. Masquerading
as a media file, W32.Benjamin targets online music swappers.

Benjamin infects computers by converting them into KaZaA servers. The damage
is minimal: The virus alters the registry settings slightly and dumps a
folder called sys32 in the Windows temp file. That folder contains hundreds
of phony media files that harbor the virus. Other unsuspecting KaZaA users
who download files from an infected computer start the infection process all
over again. This exponential growth has security experts concerned.

The worm also redirects victims' computers to an ad server intended to make
money for the virus writers. The banner server was pulled as soon as its
owners realized the influx in traffic was virus-related.

So far Benjamin is working only on the KaZaA network and infection rates are
relatively low. Newsbytes.com reached Paul Komoszki, one of the writers of
the virus. Komoszki told the site that the worm is only targeting those who
try to download copyright material.

AC/DC and Metallica titles predominate in the fake file names, but child
porn titles are also scattered in. Komoszki says he and the other virus
writers believe that this type of virus may one day fight online child porn.

</snip>

Stephen

 

[Nick FitzGerald]

I found a bit out about it for you! ...

I doubt it.

Benjamin is very old and very irrelevant in this case as just a few
moments cogitating over the descriptions of Benjamin and the OP's
description of what was observed clearly show...

... The solution is here!--->
http://www.bitdefender.com/html/free_tools.php?menu_id=20&letter=&page=2 on
this page! hope this helps

Actually, no. Aside from the fact that you seem to think Benjamin is
the malware in this case (which it certainly isn't), that URL points
to a list of specific fix-up tools that does not include a fixer for
Benjamin (at least, it does not _on that specific page of tools_).

<snip>

Kazaa Worm

By Becky Worley, Tech Live

<<big snip of hugely irrelevant drivel>>

Thank-you for trying to play, but in future please leave helping to those
of us with the skills and knowledge to realize that just because a
question was about "kazaaworm.exe" and a Google search for "Kazaa worm"
turns up lots of hits for a worm known as "Benjamin" that this "must" be
the thing in question.

 

[Camford]

I don't know how much you know about windows registry. My suggestion would
be to look at some specific parts of your windows registry. In particular
the run and runservices clause/hive (?) within Windows under HKLM and HKCU.
Post anything that you think is suspicious here to let us know.

 

[Titch]

Update:
1.Norton will not run from desktop - upon booting it doesn't load instead a
message comes up saying there may be hacker activity........
2. When I went into System Restore, message came up saying System Restore
could not start , try rebooting then run again (!) - so even if I wanted to
try a restore point it won't let us!!!!
3. Customer had Spybot installed - ran it again and nothing picked up.
4. Benjamin nothing to do with this (thanks anyway!)
5. Searched registry for "kazaaworm" - nothing at all comes up (bit
surprising as there is a file called kazaaworm.exe in C:\Windows folder

More soon....

thanks all!

Jon

 

[Nick FitzGerald]

Update:
1.Norton will not run from desktop - upon booting it doesn't load instead a
message comes up saying there may be hacker activity........
2. When I went into System Restore, message came up saying System Restore
could not start , try rebooting then run again (!) - so even if I wanted to
try a restore point it won't let us!!!!
3. Customer had Spybot installed - ran it again and nothing picked up.
4. Benjamin nothing to do with this (thanks anyway!)
5. Searched registry for "kazaaworm" - nothing at all comes up (bit
surprising as there is a file called kazaaworm.exe in C:\Windows folder

Send the kazaaworm.exe file to your preferred AV vendor(s) for analysis.
Here is a list of the suspicious file submission addresses of the better-
known AV developers:

Command Software <[email protected]>
Computer Associates (US) <[email protected]>
Computer Associates (Vet/EZ) <[email protected]>
DialogueScience (Dr. Web) <[email protected]>
Eset (NOD32) <[email protected]>
F-Secure Corp. <[email protected]>
Frisk Software (F-PROT) <[email protected]>
Grisoft (AVG) <[email protected]>
H+BEDV (AntiVir, Vexira engine) <[email protected]>
Kaspersky Labs <[email protected]>
Network Associates (McAfee) <[email protected]>
Norman (NVC) <[email protected]>
Sophos Plc. <[email protected]>
Symantec (Norton) <[email protected]>
Trend Micro (PC-cillin) <[email protected]>
(Trend may only accept files from users of its products)

 

[Titch]

Tried to turn off System Restore and got the following:
"System Restore encountered an error trying to enable/disable one or more
drives. Please restart your machine and try again.". Needless to say,
clicking OK, restarting and trying again makes no difference!!!!!

Can't access User Accounts - Window comes up but only the forward, back and
home buttons - nothing else, so can't create a new ID! Bugger!

Nothing I can see in the registry entries points to kazaaworm.exe!!!!!

NAVW32.EXE /L /VISIBLE does nothing from the RUN command!!!!!!

Can't uninstall Norton (to try a clean reinstall - clutching at straws
now!) - "The Windows Installer Service could not be accessed............"

I feel a total system rebuild coming on!

Thanks again for all your suggestions.

Jon

----------------------------------------------------------------------------
---------------------

I don't know how much you know about windows registry. My suggestion would
be to look at some specific parts of your windows registry. In particular
the run and runservices clause/hive (?) within Windows under HKLM and HKCU.
Post anything that you think is suspicious here to let us know.

I am trying to fix a PC for a customer.

Whenever a user logs onto their Windows XP profile a DOS box opens open and
scrolls the message "im a worm! hehehe". In the window title bar is
"kazaaworm.exe".

There is a file in C:\Windows called kazaaworm.exe, which even when deleted
returns to this location.

Norton AV will not run now, taskbars have either disappeared, or do not show
running applications (need to use task manager to switch).

Have searched www.symantec.com and Google and there is NO reference to this
that I can see.

Can anyone out there help at all? If there is no fix out there and I

need

 

[Titch]

Sent the kazaaworm.exe to Symantec - their response was that it was 'clean'.
I can only assume that there was more to this virus/trojan/whatever than
just this file alone.

For everyone's information, customer thinks the downloaded file was called
something like "Web Cam Viewer" - I will certainly be looking out for it!!!!

Anyway, system now fully restored and clean after Windows XP reinstall!

Thanks all

 

[Heather]

That is Symantec's standard automated report. Then about 2 days later
they will write and tell you it was a virus (G).

Heather