Threat Description



Aliases:Pac, Trojan.Win32.Pac


Pac is a new P2P (peer-to-peer) worm, backdoor and DoS (Denial of Service) attack tool. We got first reports about it in the middle of February. The worm travels from one system to another as a EXE bundle that acts as a dropper. When the dropper is run, it activates the embedded P2P worm. The worm installs itself to system as SYSTEM32.EXE file. It sets a hidden attribute to its file.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.


You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.

Technical Details

To remove the worm it's enough to delete all its files from a hard drive.

To start its file during every Windows session, the worm creates the following startup keys for it in the Registry:

 "SystemSAS" = "system32.exe"

 "SystemSAS" = "system32.exe"

Being active the worm copies itself to shared folders of popular file sharing clients Kazaa and iMesh with the following name:

 AquaNox2 Crack.exe
 FIFA2003 crack.exe
 C&C Generals_crack.exe
 UT2003_no cd (crack).exe
 Age of Empires 2 crack.exe
 Anno 1503_crack.exe
 C&C Renegade_crack.exe
 Diablo 2 Crack.exe
 Gothic 2 licence.exe
 GTA 3 Crack.exe
 GTA 3 patch (no cd).exe
 NHL 2003 crack.exe
 Winamp 3.8.exe
 MediaPlayer Update.exe
 ACDSee 5.5.exe
 DivX Video Bundle 6.5.exe
 Global DiVX Player 3.0.exe
 KaZaA Lite (New).exe
 iMesh 3.7b (beta).exe
 iMesh 3.6.exe
 KaZaA Hack 2.5.0.exe
 DirectDVD 5.0.exe
 Flash MX crack (trial).exe
 Ad-aware 6.5.exe
 WinZip 9.0b.exe
 SmartFTP 2.0.0.exe
 ICQ Lite (new).exe
 ICQ Pro 2003b (new beta).exe
 ICQ Pro 2003a.exe
 AOL Instant Messenger.exe
 Download Accelerator Plus 6.1.exe
 Trillian 0.85 (free).exe
 MSN Messenger 5.2.exe
 Network Cable e ADSL Speed 2.0.5.exe
 mIRC 6.40.exe
 GetRight 5.0a.exe
 Pop-Up Stopper 3.5.exe
 Yahoo Messenger 6.0.exe
 KaZaA Speedup 3.6.exe
 Nero Burning ROM crack.exe
 WindowBlinds 4.0.exe
 Animated Screen 7.0b.exe
 Living Waterfalls 1.3.exe
 Matrix Screensaver 1.5.exe
 Popup Defender 6.5.exe
 Space Invaders 1978.exe
 SmartRipper v2.7.exe
 TweakAll 3.8.exe
 DVD Copy Plus v5.0.exe
 Serials 2003 v.8.0 Full.exe
 Zelda Classic 2.00.exe
 Need 4 Speed crack.exe
 Links 2003 Golf game (crack).exe
 Netfast 1.8.exe
 Guitar Chords Library 5.5.exe
 DVD Region-Free 2.3.exe
 Cool Edit Pro v2.55.exe
 Coffee Cup Free HTML 7.0b.exe
 Clone CD
 Clone CD (crack).exe
 Nimo CodecPack (new) 8.0.exe
 Business Card Designer Plus 7.9.exe
 Hot Babes XXX Screen Saver.exe
 FreeRAM XP Pro 1.9.exe
 IrfanView 4.5.exe
 Audiograbber 2.05.exe
 WinOnCD 4 PE_crack.exe
 Final Fantasy VII XP Patch 1.5.exe
 BabeFest 2003 ScreenSaver 1.5.exe
 PalTalk 5.01b.exe
 DirectX Buster (all versions).exe
 DirectX InfoTool.exe
 FlashGet 1.5.exe
 Babylon 3.50b reg_crack.exe
 mp3Trim PRO 2.5.exe

The worm changes the size of its files to make them match (to some extent of course) the size of software packages it tries to fake. Anyone connecting with Kazaa or iMesh client to an infected computer will discover these fake files. If at least one of these files is downloaded and executed by another person, his computer also becomes infected.

The worm has backdoor capabilities. It is controlled via a bot that the worm creates in the specific channel on an IRC server. A hacker can obtain system information, upload, download, execute files on an infected system and update the worm's file to a newer version.

The worm can be used to perform a DoS (Denial of Service) attack. It can perform a SYN flood attack.

F-Secure Anti-Virus detects the worm with the latest updates.

Description Created: F-Secure Anti-Virus Research Team; February 18th, 2003


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More