The Kazaa Worm Virus -- Explorer.SCR

There is a nasty worm (virus) making its way through the Kazaa file sharing network.

On Friday, a friend called me up and told me that his "C drive" was full and that he couldn't do anything with his computer. So, I hopped in my car, drove over to his place, and cleaned up some temporary files on his system. I freed up about 400 meg or so on his C drive. Satisfied with the results, I went home.

The next day, he called me back with the same problem.

Oddly enough, he said the computer was left untouched since I left his house the previous night. So what happened to all the space I freed up? Suspicious of the problem, my friend's next question was, "do you think I have a virus?"

His skepticism grew deeper as he told me about the abnormally high CPU usage which was being reported under Windows 2000 -- especially since his computer was sitting idle without anything (supposed to be) running in the background.

So, I drove over to his house again. Sure enough, the C drive had only 2 meg free, and his CPU usage was moving up and down like a Yo-Yo. I decided to press CTRL + ALT + DEL on the machine to run Task Manager to see what programs were running.

Low and behold -- Explorer.SCR was running, and it was actively eating up a good portion of CPU and memory resources. I didn't recognize the program name. My next thought was that (usually) any file ending in .SCR implies that the file is either a SCREEN SAVER or some sort of SCRIPT file. At any rate, his screen saver wasn't running.

I decided to locate the Explorer.SCR file, and noted its file date. It was only a few days old. While file dates don't really mean much (because any virus can "fake" a file date), the file in question was relatively new, and I found that extremely apprehensive.

My next step was to get on google.com and type in "explorer.scr" into the search engine. Tip: Google is -- by far -- the most accurate search engine available. Even Yahoo uses it. You should, too.

Google gave me the results I was looking for -- Explorer.SCR, was a Kazaa worm virus... which is also known as Worm.Kazaa.Benjamin, TROJ_FILLHDD.A, W32/Benjamin.worm, Benjamin, Kazaa Worm, BackDoor-AEG, Trojan.Filler, or W32/Kazoa.

Take your pick.

Through various links, I found out that the worm is received primarily through Kazaa, disguising itself as a list of music and video selections. When a Kazaa user (unknowingly) searches and downloads one of file titles replicated by the worm, it propagates and infects that system. Once an infected file is executed, users are presented with an erroneous error message: Access error #03A:94574: Invalid pointer operation. File possibly corrupted.

Regardless of the error message, the worm is actually hard-at-work replicating itself. F-Secure (an anti-virus web site) reports that the worm can replicate itself with about 2,000 erroneous file names. That translates to a lot of wasted disk space, since each file is approximately 216k big.

That would explain why my friend's C drive kept filling up.

Removal of the worm

For this version of the worm (and I'm sure there are many more different types of it yet to come), the first thing to do is to stop the worm from running on the system so it can be removed.

Stop the worm from running -- end the process: This is done by pressing CTRL + ALT + DEL on the keyboard. End the task on Explorer.SCR.

Kill the worm: Next, go to your Windows Directory (Win9x/ME users: Windows\System; WinNT/2k/XP users: Winnt\System32) after that you can successfully remove the file from the system.

Option 1: Get a decent (free) virus scanner to finish the job (or, see Option #2 for details).

Option 2: Do it yourself using manual file deletion and registry editing (not for the light hearted!). First, remove the erroneous files: Win9x/ME users: go to Windows\Temp, and delete the entire contents of the Sys32 directory. WinNT/2k/XP users: go to Winnt\Temp, and delete the Sys32 directory. Next, remove the worm from the registry: Run Regedit (Start -> Run -> regedit). Search for Explorer.SCR and remove any keys that contain it. When you quit the registry editor, your changes will be saved.

Close all programs and reboot your machine.