Category :


Type :


Aliases :

Pac, Trojan.Win32.Pac


Pac is a new P2P (peer-to-peer) worm, backdoor and DoS (Denial of Service) attack tool. We got first reports about it in the middle of February. The worm travels from one system to another as a EXE bundle that acts as a dropper. When the dropper is run, it activates the embedded P2P worm. The worm installs itself to system as SYSTEM32.EXE file. It sets a hidden attribute to its file.


Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

To remove the worm it's enough to delete all its files from a hard drive.

To start its file during every Windows session, the worm creates the following startup keys for it in the Registry:

"SystemSAS" = "system32.exe"
"SystemSAS" = "system32.exe"

Being active the worm copies itself to shared folders of popular file sharing clients Kazaa and iMesh with the following name:

AquaNox2 Crack.exe
FIFA2003 crack.exe
C&C; Generals_crack.exe
UT2003_no cd (crack).exe
Age of Empires 2 crack.exe
Anno 1503_crack.exe
C&C; Renegade_crack.exe
Diablo 2 Crack.exe
Gothic 2 licence.exe
GTA 3 Crack.exe
GTA 3 patch (no cd).exe
NHL 2003 crack.exe
Winamp 3.8.exe
MediaPlayer Update.exe
ACDSee 5.5.exe
DivX Video Bundle 6.5.exe
Global DiVX Player 3.0.exe
KaZaA Lite (New).exe
iMesh 3.7b (beta).exe
iMesh 3.6.exe
KaZaA Hack 2.5.0.exe
DirectDVD 5.0.exe
Flash MX crack (trial).exe
Ad-aware 6.5.exe
WinZip 9.0b.exe
SmartFTP 2.0.0.exe
ICQ Lite (new).exe
ICQ Pro 2003b (new beta).exe
ICQ Pro 2003a.exe
AOL Instant Messenger.exe
Download Accelerator Plus 6.1.exe
Trillian 0.85 (free).exe
MSN Messenger 5.2.exe
Network Cable e ADSL Speed 2.0.5.exe
mIRC 6.40.exe
GetRight 5.0a.exe
Pop-Up Stopper 3.5.exe
Yahoo Messenger 6.0.exe
KaZaA Speedup 3.6.exe
Nero Burning ROM crack.exe
WindowBlinds 4.0.exe
Animated Screen 7.0b.exe
Living Waterfalls 1.3.exe
Matrix Screensaver 1.5.exe
Popup Defender 6.5.exe
Space Invaders 1978.exe
SmartRipper v2.7.exe
TweakAll 3.8.exe
DVD Copy Plus v5.0.exe
Serials 2003 v.8.0 Full.exe
Zelda Classic 2.00.exe
Need 4 Speed crack.exe
Links 2003 Golf game (crack).exe
Netfast 1.8.exe
Guitar Chords Library 5.5.exe
DVD Region-Free 2.3.exe
Cool Edit Pro v2.55.exe
Coffee Cup Free HTML 7.0b.exe
Clone CD
Clone CD (crack).exe
Nimo CodecPack (new) 8.0.exe
Business Card Designer Plus 7.9.exe
Hot Babes XXX Screen Saver.exe
FreeRAM XP Pro 1.9.exe
IrfanView 4.5.exe
Audiograbber 2.05.exe
WinOnCD 4 PE_crack.exe
Final Fantasy VII XP Patch 1.5.exe
BabeFest 2003 ScreenSaver 1.5.exe
PalTalk 5.01b.exe
DirectX Buster (all versions).exe
DirectX InfoTool.exe
FlashGet 1.5.exe
Babylon 3.50b reg_crack.exe
mp3Trim PRO 2.5.exe

The worm changes the size of its files to make them match (to some extent of course) the size of software packages it tries to fake. Anyone connecting with Kazaa or iMesh client to an infected computer will discover these fake files. If at least one of these files is downloaded and executed by another person, his computer also becomes infected.

The worm has backdoor capabilities. It is controlled via a bot that the worm creates in the specific channel on an IRC server. A hacker can obtain system information, upload, download, execute files on an infected system and update the worm's file to a newer version.

The worm can be used to perform a DoS (Denial of Service) attack. It can perform a SYN flood attack.

F-Secure Anti-Virus detects the worm with the latest updates.