Virus Database

Worm.P2P.Benjamin.a

Description Worm.P2P.Benjamin.a

This worm uses the Kazaa file exchange P2P network to spread itself. The Kazaa network allows its users to exchange files with each other using the Kazaa client software. To learn more about the Kazaa network visit their site at: http://www.kazaa.com.
Benjamin is written in Borland Delphi and is approximately 216 Kb in size - it is compressed by the AsPack utility. The size of a file can vary greatly as the worm ends each file with "dust" for masking.
Installation
Firstly the worm shows a false error report:

Benjamin then copies itself to the %WinDir%SYSTEM directory as
EXPLORER.SCR
and creates two keys in the system registry:
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun] "System-Service"="C:\WINDOWS\SYSTEM\EXPLORER.SCR" [HKEY_LOCAL_MACHINESoftwareMicrosoft] "syscod"="0065D7DB20008306B6A1"
The worm executes after system restarts.
Spreading
Spreading can most likely only take place if the KaZaa P2P client (software) is installed. Benjamin reads the system registry for information on the Kasaa client and creates the
%WinDir%TempSys32
directory catalog that registers as the directory accessible to all KaZaa network users. It fills this directory with copies of itself listed under numerous various names from a list contained in the body of the worm.
Spreading occurs as follows. A "victim" searching for a file in the KaZaa network finds it in the list of accessible files on already infected machine. Not suspecting a problem the user downloads this file and opens it, thus infecting his or her own machine.
Effects
The worm opens the benjamin.xww.de Web-site to display an advertisement.

Check other viruses! Be aware! Use Antiviral Software

Formas.1146

Description Formas.1146

This is a relatively harmless non-memory resident parasitic virus. It searches for .COM-files, then writes itself to the end of the file. On Fridays, the virus "drops" letters on the screen, and then displays:
Ez aztán FORMÅS kis gép !?! ( lett )

Formula.Excel.Paix

Description Formula.Excel.Paix

This virus replicates itself by the same manner as other Excel viruses do. It hooks system events (window activating - OnWindows) and copies its code to each sheet that is activated. On first start (on first opening an infected sheet) the virus installs itself into the system: it registers its host file as Add-In with the XLSHEET.XLA name in the current or in the C:WINDOWS directory. On such request Excel automatically creates new copy of infected document (with XLSHEET.XLA name) and on each next Excel start it will load and activate this Add-In, i.e. virus code. As a result after creating infected Add-In the virus is active all the time Excel is run and infects all files that are opened or created.
The virus is of French origin (see routines names below) but is able to infect and replicate under any local Excel version starting from 4.
The virus has five routines: auto_ouvrir, activation_feuille, protect, !!!GO, auto_fermer. All of them (except !!!GO) call infection routine. Depending on the system random counter (with probability 2%) the virus activate the trigger subroutine (that is places in !!!GO routine). The trigger routine hides all opened tables and Excel elements (buttons, menus, status bar) and replaces the "Microsoft Excel" text at the top of the Excel window with the text: "Enfin la paix all"
It is not possible to detect and disinfect the virus by using standard methods (entering Tools/Macro and looking for macros) because the virus sets VeryHidden attribute for its macros. Such attribute cannot be disabled by using Excel menus. To find and look at virus code that's necessary to write special routine on Excel Basic (macro routine).
As a result a user has no tools to detect this virus on its computer, and all known anti-virus programs are not able to detect it now. The virus can be found only by its traces:
- in Tools/Add-Ins menu there is reference for the XLSHEET file
- infected files contain the text strings:
Enfin la paix ...
!!!GO

Partial protection can be achieved by creating in the C:WINDOWS directory the Read-Only dummy file with the XLSHEET.XLA name. After that the virus will be not able to install its Add-In in the C:WINDOWS directory. If it creates this Add-In in other directories, you should also create the same dummy XLSHEET.XLA file in these directories.

Home