Threat Description

Pac

Details

Aliases: Pac, Trojan.Win32.Pac
Category: Malware
Type: Worm
Platform: W32

Summary



Pac is a new P2P (peer-to-peer) worm, backdoor and DoS (Denial of Service) attack tool. We got first reports about it in the middle of February. The worm travels from one system to another as a EXE bundle that acts as a dropper. When the dropper is run, it activates the embedded P2P worm. The worm installs itself to system as SYSTEM32.EXE file. It sets a hidden attribute to its file.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



To remove the worm it's enough to delete all its files from a hard drive.

To start its file during every Windows session, the worm creates the following startup keys for it in the Registry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
 "SystemSAS" = "system32.exe"

 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
 "SystemSAS" = "system32.exe"


Being active the worm copies itself to shared folders of popular file sharing clients Kazaa and iMesh with the following name:

Battlefield1942_bloodpatch.exe
 Unreal2_bloodpatch.exe
 UT2003_bloodpatch.exe
 AquaNox2 Crack.exe
 NBA2003_crack.exe
 FIFA2003 crack.exe
 C&C Generals_crack.exe
 UT2003_keygen.exe
 UT2003_no cd (crack).exe
 Age of Empires 2 crack.exe
 Anno 1503_crack.exe
 C&C Renegade_crack.exe
 Diablo 2 Crack.exe
 Gothic 2 licence.exe
 GTA 3 Crack.exe
 GTA 3 patch (no cd).exe
 Hitman_2_no_cd_crack.exe
 Mafia_crack.exe
 Neverwinter_Nights_licence.exe
 NHL 2003 crack.exe
 WarCraft_3_crack.exe
 Splinter_Cell_Crack.exe
 Battlefield1942_keygen.exe
 Winamp 3.8.exe
 MediaPlayer Update.exe
 UT2003_patch.exe
 ACDSee 5.5.exe
 DivX Video Bundle 6.5.exe
 Global DiVX Player 3.0.exe
 QuickTime_Pro_Crack.exe
 KaZaA Lite (New).exe
 iMesh 3.7b (beta).exe
 iMesh 3.6.exe
 KaZaA Hack 2.5.0.exe
 DirectDVD 5.0.exe
 Flash MX crack (trial).exe
 Ad-aware 6.5.exe
 WinZip 9.0b.exe
 SmartFTP 2.0.0.exe
 ICQ Lite (new).exe
 ICQ Pro 2003b (new beta).exe
 ICQ Pro 2003a.exe
 AOL Instant Messenger.exe
 Download Accelerator Plus 6.1.exe
 Trillian 0.85 (free).exe
 MSN Messenger 5.2.exe
 Network Cable e ADSL Speed 2.0.5.exe
 mIRC 6.40.exe
 GetRight 5.0a.exe
 Pop-Up Stopper 3.5.exe
 Yahoo Messenger 6.0.exe
 KaZaA Speedup 3.6.exe
 Nero Burning ROM crack.exe
 WindowBlinds 4.0.exe
 Animated Screen 7.0b.exe
 Living Waterfalls 1.3.exe
 Matrix Screensaver 1.5.exe
 Popup Defender 6.5.exe
 Space Invaders 1978.exe
 SmartRipper v2.7.exe
 TweakAll 3.8.exe
 DVD Copy Plus v5.0.exe
 Serials 2003 v.8.0 Full.exe
 Zelda Classic 2.00.exe
 Need 4 Speed crack.exe
 Links 2003 Golf game (crack).exe
 Netfast 1.8.exe
 Guitar Chords Library 5.5.exe
 DVD Region-Free 2.3.exe
 Cool Edit Pro v2.55.exe
 Coffee Cup Free HTML 7.0b.exe
 Clone CD 5.0.0.3.exe
 Clone CD 5.0.0.3 (crack).exe
 Nimo CodecPack (new) 8.0.exe
 Business Card Designer Plus 7.9.exe
 Steinberg_WaveLab_5_crack.exe
 Hot Babes XXX Screen Saver.exe
 FreeRAM XP Pro 1.9.exe
 IrfanView 4.5.exe
 Audiograbber 2.05.exe
 WinOnCD 4 PE_crack.exe
 Final Fantasy VII XP Patch 1.5.exe
 BabeFest 2003 ScreenSaver 1.5.exe
 PalTalk 5.01b.exe
 DirectX Buster (all versions).exe
 DirectX InfoTool.exe
 Unreal2_crack.exe
 FlashGet 1.5.exe
 Babylon 3.50b reg_crack.exe
 mp3Trim PRO 2.5.exe


The worm changes the size of its files to make them match (to some extent of course) the size of software packages it tries to fake. Anyone connecting with Kazaa or iMesh client to an infected computer will discover these fake files. If at least one of these files is downloaded and executed by another person, his computer also becomes infected.

The worm has backdoor capabilities. It is controlled via a bot that the worm creates in the specific channel on an IRC server. A hacker can obtain system information, upload, download, execute files on an infected system and update the worm's file to a newer version.

The worm can be used to perform a DoS (Denial of Service) attack. It can perform a SYN flood attack.

F-Secure Anti-Virus detects the worm with the latest updates.





Description Created: F-Secure Anti-Virus Research Team; February 18th, 2003


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More