Threat description




Pac is a new P2P (peer-to-peer) worm, backdoor and DoS (Denial of Service) attack tool. We got first reports about it in the middle of February. The worm travels from one system to another as a EXE bundle that acts as a dropper. When the dropper is run, it activates the embedded P2P worm. The worm installs itself to system as SYSTEM32.EXE file. It sets a hidden attribute to its file.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

To remove the worm it's enough to delete all its files from a hard drive.

To start its file during every Windows session, the worm creates the following startup keys for it in the Registry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]  "SystemSAS" = "system32.exe"   [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]  "SystemSAS" = "system32.exe"   

Being active the worm copies itself to shared folders of popular file sharing clients Kazaa and iMesh with the following name:

Battlefield1942_bloodpatch.exe  Unreal2_bloodpatch.exe  UT2003_bloodpatch.exe  AquaNox2 Crack.exe  NBA2003_crack.exe  FIFA2003 crack.exe  C&C Generals_crack.exe  UT2003_keygen.exe  UT2003_no cd (crack).exe  Age of Empires 2 crack.exe  Anno 1503_crack.exe  C&C Renegade_crack.exe  Diablo 2 Crack.exe  Gothic 2 licence.exe  GTA 3 Crack.exe  GTA 3 patch (no cd).exe  Hitman_2_no_cd_crack.exe  Mafia_crack.exe  Neverwinter_Nights_licence.exe  NHL 2003 crack.exe  WarCraft_3_crack.exe  Splinter_Cell_Crack.exe  Battlefield1942_keygen.exe  Winamp 3.8.exe  MediaPlayer Update.exe  UT2003_patch.exe  ACDSee 5.5.exe  DivX Video Bundle 6.5.exe  Global DiVX Player 3.0.exe  QuickTime_Pro_Crack.exe  KaZaA Lite (New).exe  iMesh 3.7b (beta).exe  iMesh 3.6.exe  KaZaA Hack 2.5.0.exe  DirectDVD 5.0.exe  Flash MX crack (trial).exe  Ad-aware 6.5.exe  WinZip 9.0b.exe  SmartFTP 2.0.0.exe  ICQ Lite (new).exe  ICQ Pro 2003b (new beta).exe  ICQ Pro 2003a.exe  AOL Instant Messenger.exe  Download Accelerator Plus 6.1.exe  Trillian 0.85 (free).exe  MSN Messenger 5.2.exe  Network Cable e ADSL Speed 2.0.5.exe  mIRC 6.40.exe  GetRight 5.0a.exe  Pop-Up Stopper 3.5.exe  Yahoo Messenger 6.0.exe  KaZaA Speedup 3.6.exe  Nero Burning ROM crack.exe  WindowBlinds 4.0.exe  Animated Screen 7.0b.exe  Living Waterfalls 1.3.exe  Matrix Screensaver 1.5.exe  Popup Defender 6.5.exe  Space Invaders 1978.exe  SmartRipper v2.7.exe  TweakAll 3.8.exe  DVD Copy Plus v5.0.exe  Serials 2003 v.8.0 Full.exe  Zelda Classic 2.00.exe  Need 4 Speed crack.exe  Links 2003 Golf game (crack).exe  Netfast 1.8.exe  Guitar Chords Library 5.5.exe  DVD Region-Free 2.3.exe  Cool Edit Pro v2.55.exe  Coffee Cup Free HTML 7.0b.exe  Clone CD  Clone CD (crack).exe  Nimo CodecPack (new) 8.0.exe  Business Card Designer Plus 7.9.exe  Steinberg_WaveLab_5_crack.exe  Hot Babes XXX Screen Saver.exe  FreeRAM XP Pro 1.9.exe  IrfanView 4.5.exe  Audiograbber 2.05.exe  WinOnCD 4 PE_crack.exe  Final Fantasy VII XP Patch 1.5.exe  BabeFest 2003 ScreenSaver 1.5.exe  PalTalk 5.01b.exe  DirectX Buster (all versions).exe  DirectX InfoTool.exe  Unreal2_crack.exe  FlashGet 1.5.exe  Babylon 3.50b reg_crack.exe  mp3Trim PRO 2.5.exe   

The worm changes the size of its files to make them match (to some extent of course) the size of software packages it tries to fake. Anyone connecting with Kazaa or iMesh client to an infected computer will discover these fake files. If at least one of these files is downloaded and executed by another person, his computer also becomes infected.

The worm has backdoor capabilities. It is controlled via a bot that the worm creates in the specific channel on an IRC server. A hacker can obtain system information, upload, download, execute files on an infected system and update the worm's file to a newer version.

The worm can be used to perform a DoS (Denial of Service) attack. It can perform a SYN flood attack.

F-Secure Anti-Virus detects the worm with the latest updates.

Submit a Sample

Suspect a file or URL was wrongly detected?
Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info