View Single Post
  #10 (permalink)  
Old February 16th, 2007
mickjapa108's Avatar
mickjapa108 mickjapa108 is offline
Valued Member contributor
 
Join Date: February 2nd, 2006
Location: England
Posts: 1,405
mickjapa108 has a spectacular aura about
Default

Hi all Just found this. Dont know if its relevant.

The Kazaa file-swapping network has been hit by another worm, just months after the first such attack, according to antivirus vendors.

Antivirus company Sophos said it had received several reports of the KWBot worm in the wild. KWBot appears to be the second worm to hit the Kazaa network, which fell prey to the Benjamin worm in May.

KWBot spreads in a similar way to Benjamin in that it alters Windows registry keys and then disguises itself as files that are likely to prove popular with file-swappers. It makes particular use of the names of movies and applications. When first executed, the worm copies itself to the Windows system folder as xplorer32.exe, said Sophos. It will then create two registry entries so that the copy is run each time Windows is started.

The worm may also allow attackers to gain control of an infected computer using commands transmitted over Internet Relay Chat, said Sophos.

Kazaa is not the only file-swapping network to have been targeted by virus writers. The Gnutella file-swapping network was hit by a proof-of-concept worm in February.

There have also been threats from other quarters. In April, a bug was found in the popular Winamp software for playing digital music files. The bug could allow an attacker to embed malicious code into an MP3 file, potentially damaging the user's PC and infecting other MP3s.

In addition, the music industry recently began planting "decoys" on free peer-to-peer services in its fight against online piracy, according to sources. This practice, known as "spoofing," entails the hiring of companies to distribute "decoy" files that are empty or do not work in order to frustrate would-be downloaders of movies and music.

Overpeer, a New York-based software firm funded by South Korea's SK Group, is understood to be one of the firms helping the industry disguise online files to thwart unauthorized swapping.

Examples of filenames used by the KWBot worm are:


Star Wars Episode 2 - Attack of the Clones VCD CD1.exe
Spiderman The Movie - The Game.exe
Grand Theft Auto 3 CD1 ISO.exe
ZoneAlarm Firewall Pro.exe
Windows XP Professional iso.exe
Unreal Tournament cracked (works on all servers).exe
University Study Guide (cheat sheet).exe
Quicken Pro 2002 iso.exe
Perl Ultimate Study Guide.exe
Office XP Corporate Ed. iso.exe
Norton Utilities 2002.exe
Microsoft Visual C++ 7.0 iso.exe
MCSE Ultimate Study Guide.exe
Max Payne full iso.exe
Macromedia Flash 5.exe
Kazaa Advertisement Ad remover.exe
DSL Anonymizer.exe
DoS Attacker.exe
DivX Codec 6.0 beta (codec only).exe
Credit Card number generator VERIFIER (cc cc#).exe
cows gone wild.exe
100 XXX Passwords (verified 3-24-02).exe
Sophos has a virus identity file that includes a fix for the KWBot virus here.

Peace.
__________________
mickjapa108

Last edited by mickjapa108; February 16th, 2007 at 09:00 AM.
Reply With Quote