Pac is a new P2P (peer-to-peer) worm, backdoor and DoS (Denial of Service) attack tool. We got first reports about it in the middle of February. The worm travels from one system to another as a EXE bundle that acts as a dropper. When the dropper is run, it activates the embedded P2P worm. The worm installs itself to system as SYSTEM32.EXE file. It sets a hidden attribute to its file.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
To remove the worm it's enough to delete all its files from a hard drive.
To start its file during every Windows session, the worm creates the following startup keys for it in the Registry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "SystemSAS" = "system32.exe" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "SystemSAS" = "system32.exe"
Being active the worm copies itself to shared folders of popular file sharing clients Kazaa and iMesh with the following name:
Battlefield1942_bloodpatch.exe Unreal2_bloodpatch.exe UT2003_bloodpatch.exe AquaNox2 Crack.exe NBA2003_crack.exe FIFA2003 crack.exe C&C Generals_crack.exe UT2003_keygen.exe UT2003_no cd (crack).exe Age of Empires 2 crack.exe Anno 1503_crack.exe C&C Renegade_crack.exe Diablo 2 Crack.exe Gothic 2 licence.exe GTA 3 Crack.exe GTA 3 patch (no cd).exe Hitman_2_no_cd_crack.exe Mafia_crack.exe Neverwinter_Nights_licence.exe NHL 2003 crack.exe WarCraft_3_crack.exe Splinter_Cell_Crack.exe Battlefield1942_keygen.exe Winamp 3.8.exe MediaPlayer Update.exe UT2003_patch.exe ACDSee 5.5.exe DivX Video Bundle 6.5.exe Global DiVX Player 3.0.exe QuickTime_Pro_Crack.exe KaZaA Lite (New).exe iMesh 3.7b (beta).exe iMesh 3.6.exe KaZaA Hack 2.5.0.exe DirectDVD 5.0.exe Flash MX crack (trial).exe Ad-aware 6.5.exe WinZip 9.0b.exe SmartFTP 2.0.0.exe ICQ Lite (new).exe ICQ Pro 2003b (new beta).exe ICQ Pro 2003a.exe AOL Instant Messenger.exe Download Accelerator Plus 6.1.exe Trillian 0.85 (free).exe MSN Messenger 5.2.exe Network Cable e ADSL Speed 2.0.5.exe mIRC 6.40.exe GetRight 5.0a.exe Pop-Up Stopper 3.5.exe Yahoo Messenger 6.0.exe KaZaA Speedup 3.6.exe Nero Burning ROM crack.exe WindowBlinds 4.0.exe Animated Screen 7.0b.exe Living Waterfalls 1.3.exe Matrix Screensaver 1.5.exe Popup Defender 6.5.exe Space Invaders 1978.exe SmartRipper v2.7.exe TweakAll 3.8.exe DVD Copy Plus v5.0.exe Serials 2003 v.8.0 Full.exe Zelda Classic 2.00.exe Need 4 Speed crack.exe Links 2003 Golf game (crack).exe Netfast 1.8.exe Guitar Chords Library 5.5.exe DVD Region-Free 2.3.exe Cool Edit Pro v2.55.exe Coffee Cup Free HTML 7.0b.exe Clone CD 220.127.116.11.exe Clone CD 18.104.22.168 (crack).exe Nimo CodecPack (new) 8.0.exe Business Card Designer Plus 7.9.exe Steinberg_WaveLab_5_crack.exe Hot Babes XXX Screen Saver.exe FreeRAM XP Pro 1.9.exe IrfanView 4.5.exe Audiograbber 2.05.exe WinOnCD 4 PE_crack.exe Final Fantasy VII XP Patch 1.5.exe BabeFest 2003 ScreenSaver 1.5.exe PalTalk 5.01b.exe DirectX Buster (all versions).exe DirectX InfoTool.exe Unreal2_crack.exe FlashGet 1.5.exe Babylon 3.50b reg_crack.exe mp3Trim PRO 2.5.exe
The worm changes the size of its files to make them match (to some extent of course) the size of software packages it tries to fake. Anyone connecting with Kazaa or iMesh client to an infected computer will discover these fake files. If at least one of these files is downloaded and executed by another person, his computer also becomes infected.
The worm has backdoor capabilities. It is controlled via a bot that the worm creates in the specific channel on an IRC server. A hacker can obtain system information, upload, download, execute files on an infected system and update the worm's file to a newer version.
The worm can be used to perform a DoS (Denial of Service) attack. It can perform a SYN flood attack.
F-Secure Anti-Virus detects the worm with the latest updates.
Description Created: F-Secure Anti-Virus Research Team; February 18th, 2003