Unsuspecting Kazaa users could be downloading more than free music — a new worm has infiltrated the file-sharing service.

Dubbed 'Benjamin' by vendors of antivirus utilities, the worm surfaced last week but has affected very few systems.

Although relatively harmless, it's noteworthy because it appears to be the first worm engineered to go after users of a specific file-sharing service.

But its effects apparently only stretch as far as changing a Kazaa user's file-sharing directory, and replicating across the peer-to-peer network.

A representative of Sharman Networks, owner of Kazaa, acknowledged the worm's existence on Monday and said the company is "investigating the situation and preparing a statement".

Benjamin's authors appear to have specifically targeted Kazaa, says Kevin Haley, group product manager at Symantec Security Response.

Last Wednesday Symantec issued a virus definition update for its Norton AntiVirus utility so that it can detect Benjamin.

Despite Kazaa's popularity — Sharman's website claims more than 81 million downloads — Benjamin remains rare, Haley says. Symantec says its worldwide customer base has reported fewer than 50 infections so far.

"This doesn't look like that big a deal," Haley says. "It's not in the top ten list." Symantec tracks all the latest viruses, and ranks the most widespread and damaging. Benjamin is neither.

It is, however, fascinating, Haley says. "There is some interesting social engineering here," he says.

Kazaa users share files through the service's network, and that's how Benjamin spreads, Haley says. It first creates a directory on an infected PC, and lists it as the source of files to be shared via Kazaa. Benjamin then populates the directory with files named after music and movie titles, he says.

When someone on the Kazaa network searches for similarly titled music or movie files, Kazaa may offer to connect them. The unsuspecting user downloads the worm and the process begins again.

The worm doesn't have a destructive payload, Haley says. In fact, its only function besides replication is that it tries to launch a browser window and visit a now-defunct website. The target site appears to have been an advertising site, and Symantec is looking into its origin, Haley says.