The Web    Google
Virus Alert: New Worm Spreads Through KaZaA, IRC

Virus Alert: New Worm Spreads Through KaZaA, IRC
February 11, 2003

Anti-virus developer Panda Software on Tuesday reported the appearance of Kazoa.C, alias Gool, a new worm/Trojan programmed in Delphi that spreads through the popular file sharing application KaZaA and through the chat program IRC.

Kazoa.C/Gool impacts Windows XP/2000 Pro/NT/Me/98/95. When installed on the affected computer, it changes entries in the Windows Registry in order to ensure that it is run every time Windows is started up. Kazoa.C/Gool also opens a port (usually 31337) and sends out the IP address of the affected computer via the Internet, leaving the computer vulnerable to remote attacks. An attacker would be able to carry out the following actions on the affected computer:

  • Send messages
  • Hide the Taskbar that appears on the desktop
  • Delete the CMOS
  • Provoke an error in the computer
  • Use up memory
  • Handle and send files
  • Capture screens and keystrokes
  • Obtain data on the operating system and characteristics of the machine.

    Kazoa.C/Gool modifies the default shared file folder in the application KaZaA and creates a large number of files, which contain the worm's code, with names like Catherine Zeta Jones, Pamela Anderson, Sandra Bullock, Shakira or Pokemon.

    This worm tries to trick users into running these files by suggesting that they contain erotic photos, cracks for hacking operating systems etc. These files always have a double extension, but the real extension is .exe. If a computer is not configured to show all file extensions, these icons will be displayed as inoffensive jpg or .txt files. When the executable file is run (by double-clicking on the icon), Kazoa.C/Gool displays a screen.

    If this malicious code detects the presence of certain antivirus and security programs, it terminates them. Find out if your computer is infected by checking whether the following files are in the Windows system directory:


    Panda Software is giving this virus a very low threat rating. For technical details, visit this page.

    JS/Seeker-C Trojan Attempts to Disrupt IE

    JS/Seeker-C is a malicious script that attempts to modify Internet Explorer settings, such as the Start Page and Search setting, according to Sophos.

    It appears the script has been designed to do this to redirect traffic to Web sites (typically, but not limited to pornographic sites). The Trojan writes to registry values under:

    HKCU\Software\Microsoft\Internet Explorer.

    JS/Seeker-C does not forward itself to other users, but has to be deliberately installed on a Web site or forwarded via email from a malicious user.

    For removal instructions, visit this Sophos page.

    W32.Yalat.Worm Spreads via MAPI

    W32.Yalat.Worm attempts to spread by using MAPI and by copying itself to shared folders. It also attempts to stop the processes of some antivirus programs. However, the worm does not work as intended due to bugs in the code. For technical details, visit this Symantec page.

    W32.HLLW.Maax Worm Chooses File-Sharing Programs, E-mail to Spread

    Symantec is also reporting the appearance of the W32.HLLW.Maax worm, which uses several file-sharing programs and Microsoft Outlook to spread.

    The file-sharing programs include KaZaA, Morpheus, Edonkey, Grokster, Limewire and Bearware. The e-mail would have a subject chosen from a predetermined list and an attachment with a filename of Tca.exe.

    This worm attempts to terminate the processes of antivirus and security- related programs. It is written in Microsoft Visual Basic version 6 and is packed with UPX. Read the technical details here.

    Compiled by Esther Shein.

  • 4/13: Spybot-NLX Worm Has DDoS Abilities
  • Symantec Offers Enhanced Portal for Enterprises
  • 10/28: Backdoor.Futro a Server Program
  • 4/7: Rbot-AAF Worm Hits Network Shares
  • Outlook Express Bug; MSN IM Worm Detected
  • Critical Flaws Spoil Opera Tune
  • 11/8: IRC.Bifrut Trojan Lets Attacker In
  • How Long Must You Wait for an Anti-Virus Fix?
  • 3/7: Kelvir-B an Instant Messaging Worm
  • 6/9: Rbot.AF Uses NetBEUI Functions
  • Report Raps Cisco's Security
  • Compare Security Camera Products