Unsuspecting Kazaa users could be downloading more than free music: A new worm has infiltrated the file-sharing service.
Christened Benjamin by vendors of antivirus utilities, the worm surfaced last week but has affected very few systems. Although relatively harmless, it's noteworthy because it appears to be the first worm engineered to go after users of a specific file-sharing service. But it apparently changes only a Kazaa user's file-sharing directory, and replicates across the peer-to-peer network.
A representative of Sharman Networks (owner of Kazaa) acknowledged the worm's existence on Monday and said the company is "investigating the situation and preparing a statement."
Benjamin's authors appear to have specifically targeted Kazaa, says Kevin Haley, group product manager at Symantec Security Response. Last Wednesday, Symantec issued a virus definition update for its Norton AntiVirus utility so that it can detect Benjamin. Despite Kazaa's popularity -- Sharman's Web site claims more than 81 million downloads -- Benjamin remains rare, Haley says. Symantec says its worldwide customer base has reported fewer than 50 infections so far.
"This doesn't look like that big a deal," Haley says. "It's not in the top ten list." Symantec tracks all the latest viruses, and ranks the most widespread and damaging. Benjamin is neither.
It is, however, fascinating, Haley says. "There is some interesting social engineering here," he says.
Antivirus competitor McAfee has yet to update its virus signatures to recognize Benjamin. Since only a handful of users have reported infections -- and the payload isn't damaging -- the company is not issuing an emergency update, says April Goostree, virus research manager at McAfee.com. The company will add Benjamin to its regular virus update later this week, she says.
F-Secure released an alert about Benjamin, and is providing detection and protection in the newest version of its F-Secure Anti-Virus tool.
Kazaa users share files through the service's network, and that's how Benjamin spreads, Symantec's Haley says. It first creates a directory on an infected PC, and lists it as the source of files to be shared via Kazaa. Benjamin then populates the directory with files named after music and movie titles, he says.
When someone on the Kazaa network searches for similarly titled music or movie files, Kazaa may offer to connect them. The unsuspecting user downloads the worm and the process begins again.
The worm doesn't have a destructive payload, Haley says. In fact, its only function besides replication is that it tries to launch a browser window and visit a now-defunct Web site. The target site appears to have been an advertising site, and Symantec is looking into its origin, Haley says.
While Benjamin isn't the first worm or virus to impact file-sharing users, its does appear to be the first aimed at a specific service, Haley says. Kazaa's popularity made it an obvious target, he adds.
The worm is just the latest headache for Sharman Networks, which drew fire from users for its role in delivering unsolicited software for Brilliant Digital's new Altnet peer-to-peer service.