Jan 16

W32.Pandem.B.Worm

By admin
Add comments
Virus
 
9 views

Name W32.Pandem.B.
Type
Affected Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Risk Level 2: Low
Discovered August 19, 2003
Update February 13, 2007 12:05:20 PM
Length
Info W32.Pandem.B. is an Internet that is written in C and is packed with PEBundle.

This attempts to spread using the following methods:

  • By email, it sends itself to the contacts in the Microsoft Outlook Address Book, with the following message:

    From: support@microsoft.com
    Subject: Microsoft Security Bulletin
    Message:
    Unchecked Buffer in Windows Explorer Could Enable System Compromise (329390)

    Summary
    Who should read this bulletin: Customers using Microsoft Windows 95,98,2K,ME,XP
    Impact of vulnerability: Run code of an attacker’s choice

    Maximum Severity Rating: Critical

    Recommendation: Customers using Microsoft Windows 95,98,2K,ME,XP should apply the patch immediately.

    Attachment: patch.zip or patch_329390.exe

  • Through file-sharing applications, including KaZaA, Morpheus, eDonkey, Grokster, LimeWire, GNucleus, BearShare, Direct Connect, and ICQ: By placing itself in their default shared folders, if the programs are installed.
  • By using DCC, the sends in IRC.

The sends a notification to its author when a host is infected and listens on port 61282 for a connection.

NOTE: definitions dated prior to August 21, 2003 may detect this threat as W32.Squirm@mm.

The may drop the following files:

  • C:\Program Files\Gnucleus\Downloads\Incoming\ICQ Hack.Exe
  • C:\Program Files\Gnucleus\Downloads\ICQ Hack.Exe
  • C:\Program Files\KMD\My Shared Folder\ICQ Hack.Exe
  • C:\Program Files\Bearshare\Shared\ICQ Hack.Exe
  • C:\Program Files\Kazaa Lite\My Shared Folder\ICQ Hack.Exe
  • C:\Program Files\Kazaa\My Shared Folder\ICQ Hack.Exe
  • C:\Program Files\Morpheus\My Shared Folder\ICQ Hack.Exe
  • C:\Program Files\Edonkey2000\Incoming\ICQ Hack.Exe
  • C:\Program Files\Direct Connect\Received Files\ICQ Hack.Exe
  • C:\Program Files\Grokster\My Grokster\ICQ Hack.Exe
  • C:\Program Files\Limewire\Shared\ICQ Hack.Exe
  • C:\Program Files\Icq\Shared Files\ICQ Hack.Exe
  • C:\Program Files\Gnucleus\Downloads\Incoming\Connection Booster.Exe
  • C:\Program Files\Gnucleus\Downloads\Connection Booster.Exe
  • C:\Program Files\KMD\My Shared Folder\Connection Booster.Exe
  • C:\Program Files\Bearshare\Shared\Connection Booster.Exe
  • C:\Program Files\Kazaa Lite\My Shared Folder\Connection Booster.Exe
  • C:\Program Files\Kazaa\My Shared Folder\Connection Booster.Exe
  • C:\Program Files\Morpheus\My Shared Folder\Connection Booster.Exe
  • C:\Program Files\Edonkey2000\Incoming\Connection Booster.Exe
  • C:\Program Files\Direct Connect\Received Files\Connection Booster.Exe
  • C:\Program Files\Grokster\My Grokster\Connection Booster.Exe
  • C:\Program Files\Limewire\Shared\Connection Booster.Exe
  • C:\Program Files\Icq\Shared Files\Connection Booster.Exe
  • C:\Program Files\Gnucleus\Downloads\Incoming\Serials Collections.Exe
  • C:\Program Files\Gnucleus\Downloads\Serials Collections.Exe
  • C:\Program Files\KMD\My Shared Folder\Serials Collections.Exe
  • C:\Program Files\Bearshare\Shared\Serials Collections.Exe
  • C:\Program Files\Kazaa Lite\My Shared Folder\Serials Collections.Exe
  • C:\Program Files\Kazaa\My Shared Folder\Serials Collections.Exe
  • C:\Program Files\Morpheus\My Shared Folder\Serials Collections.Exe
  • C:\Program Files\Edonkey2000\Incoming\Serials Collections.Exe
  • C:\Program Files\Direct Connect\Received Files\Serials Collections.Exe
  • C:\Program Files\Grokster\My Grokster\Serials Collections.Exe
  • C:\Program Files\Limewire\Shared\Serials Collections.Exe
  • C:\Program Files\Icq\Shared Files\Serials Collections.Exe
  • C:\Program Files\Gnucleus\Downloads\Incoming\Hotmail Hack.Exe
  • C:\Program Files\Gnucleus\Downloads\Hotmail Hack.Exe
  • C:\Program Files\KMD\My Shared Folder\Hotmail Hack.Exe
  • C:\Program Files\Bearshare\Shared\Hotmail Hack.Exe
  • C:\Program Files\Kazaa Lite\My Shared Folder\Hotmail Hack.Exe
  • C:\Program Files\Kazaa\My Shared Folder\Hotmail Hack.Exe
  • C:\Program Files\Morpheus\My Shared Folder\Hotmail Hack.Exe
  • C:\Program Files\Edonkey2000\Incoming\Hotmail Hack.Exe
  • C:\Program Files\Direct Connect\Received Files\Hotmail Hack.Exe
  • C:\Program Files\Grokster\My Grokster\Hotmail Hack.Exe
  • C:\Program Files\Limewire\Shared\Hotmail Hack.Exe
  • C:\Program Files\Icq\Shared Files\Hotmail Hack.Exe
  • C:\Program Files\Gnucleus\Downloads\Incoming\Norton Keygen-All Vers.Exe
  • C:\Program Files\Gnucleus\Downloads\Norton Keygen-All Vers.Exe
  • C:\Program Files\KMD\My Shared Folder\Norton Keygen-All Vers.Exe
  • C:\Program Files\Bearshare\Shared\Norton Keygen-All Vers.Exe
  • C:\Program Files\Kazaa Lite\My Shared Folder\Norton Keygen-All Vers.Exe
  • C:\Program Files\Kazaa\My Shared Folder\Norton Keygen-All Vers.Exe
  • C:\Program Files\Morpheus\My Shared Folder\Norton Keygen-All Vers.Exe
  • C:\Program Files\Edonkey2000\Incoming\Norton Keygen-All Vers.Exe
  • C:\Program Files\Direct Connect\Received Files\Norton Keygen-All Vers.Exe
  • C:\Program Files\Grokster\My Grokster\Norton Keygen-All Vers.Exe
  • C:\Program Files\Limewire\Shared\Norton Keygen-All Vers.Exe
  • C:\Program Files\Icq\Shared Files\Norton Keygen-All Vers.Exe
  • C:\Program Files\Gnucleus\Downloads\Incoming\Hacker.Scr
  • C:\Program Files\Gnucleus\Downloads\Hacker.Scr
  • C:\Program Files\KMD\My Shared Folder\Hacker.Scr
  • C:\Program Files\Bearshare\Shared\Hacker.Scr
  • C:\Program Files\Kazaa Lite\My Shared Folder\Hacker.Scr
  • C:\Program Files\Kazaa\My Shared Folder\Hacker.Scr
  • C:\Program Files\Morpheus\My Shared Folder\Hacker.Scr
  • C:\Program Files\Edonkey2000\Incoming\Hacker.Scr
  • C:\Program Files\Direct Connect\Received Files\Hacker.Scr
  • C:\Program Files\Grokster\My Grokster\Hacker.Scr
  • C:\Program Files\Limewire\Shared\Hacker.Scr
  • C:\Program Files\Icq\Shared Files\Hacker.Scr
  • C:\Program Files\Gnucleus\Downloads\Incoming\Credit Card.Exe
  • C:\Program Files\Gnucleus\Downloads\Credit Card.Exe
  • C:\Program Files\KMD\My Shared Folder\Credit Card.Exe
  • C:\Program Files\Bearshare\Shared\Credit Card.Exe
  • C:\Program Files\Kazaa Lite\My Shared Folder\Credit Card.Exe
  • C:\Program Files\Kazaa\My Shared Folder\Credit Card.Exe
  • C:\Program Files\Morpheus\My Shared Folder\Credit Card.Exe
  • C:\Program Files\Edonkey2000\Incoming\Credit Card.Exe
  • C:\Program Files\Direct Connect\Received Files\Credit Card.Exe
  • C:\Program Files\Grokster\My Grokster\Credit Card.Exe
  • C:\Program Files\Limewire\Shared\Credit Card.Exe
  • C:\Program Files\Icq\Shared Files\Credit Card.Exe
  • C:\Program Files\Morpheus\My Shared Folder\Cracks Collections.Exe
  • C:\Program Files\Edonkey2000\Incoming\Cracks Collections.Exe
  • C:\Program Files\Direct Connect\Received Files\Cracks Collections.Exe
  • C:\Program Files\Gnucleus\Downloads\Incoming\Cracks Collections.Exe
  • C:\Program Files\Gnucleus\Downloads\Cracks Collections.Exe
  • C:\Program Files\KMD\My Shared Folder\Cracks Collections.Exe
  • C:\Program Files\Bearshare\Shared\Cracks Collections.Exe
  • C:\Program Files\Kazaa Lite\My Shared Folder\Cracks Collections.Exe
  • C:\Program Files\Kazaa\My Shared Folder\Cracks Collections.Exe
  • C:\Program Files\Grokster\My Grokster\Cracks Collections.Exe
  • C:\Program Files\Limewire\Shared\Cracks Collections.Exe
  • C:\Program Files\Icq\Shared Files\Cracks Collecions.Exe
  • C:\Program Files\Gnucleus\Downloads\Incoming\Simpsons.Exe
  • C:\Program Files\Gnucleus\Downloads\Simpsons.Exe
  • C:\Program Files\KMD\My Shared Folder\Simpsons.Exe
  • C:\Program Files\Bearshare\Shared\Simpsons.Exe
  • C:\Program Files\Kazaa Lite\My Shared Folder\Simpsons.Exe
  • C:\Program Files\Kazaa\My Shared Folder\Simpsons.Exe
  • C:\Program Files\Morpheus\My Shared Folder\Simpsons.Exe
  • C:\Program Files\Edonkey2000\Incoming\Simpsons.Exe
  • C:\Program Files\Direct Connect\Received Files\Simpsons.Exe
  • C:\Program Files\Grokster\My Grokster\Simpsons.Exe
  • C:\Program Files\Limewire\Shared\Simpsons.Exe
  • C:\Program Files\Icq\Shared Files\Simpsons.Exe
  • C:\Program Files\Gnucleus\Downloads\Incoming\XXX Virtual Sex.Scr
  • C:\Program Files\Gnucleus\Downloads\XXX Virtual Sex.Scr
  • C:\Program Files\KMD\My Shared Folder\XXX Virtual Sex.Scr
  • C:\Program Files\Bearshare\Shared\XXX Virtual Sex.Scr
  • C:\Program Files\Kazaa Lite\My Shared Folder\XXX Virtual Sex.Scr
  • C:\Program Files\Kazaa\My Shared Folder\XXX Virtual Sex.Scr
  • C:\Program Files\Morpheus\My Shared Folder\XXX Virtual Sex.Scr
  • C:\Program Files\Edonkey2000\Incoming\XXX Virtual Sex.Scr
  • C:\Program Files\Direct Connect\Received Files\XXX Virtual Sex.Scr
  • C:\Program Files\Grokster\My Grokster\XXX Virtual Sex.Scr
  • C:\Program Files\Limewire\Shared\XXX Virtual Sex.Scr
  • C:\Program Files\Icq\Shared Files\XXX Virtual Sex.Scr
  • C:\Program Files\Gnucleus\Downloads\Incoming\Cracker Game.Exe
  • C:\Program Files\Gnucleus\Downloads\Cracker Game.Exe
  • C:\Program Files\KMD\My Shared Folder\Cracker Game.Exe
  • C:\Program Files\Bearshare\Shared\Cracker Game.Exe
  • C:\Program Files\Kazaa Lite\My Shared Folder\Cracker Game.Exe
  • C:\Program Files\Kazaa\My Shared Folder\Cracker Game.Exe
  • C:\Program Files\Morpheus\My Shared Folder\Cracker Game.Exe
  • C:\Program Files\Edonkey2000\Incoming\Cracker Game.Exe
  • C:\Program Files\Direct Connect\Received Files\Cracker Game.Exe
  • C:\Program Files\Grokster\My Grokster\Cracker Game.Exe
  • C:\Program Files\Limewire\Shared\Cracker Game.Exe
  • C:\Program Files\Icq\Shared Files\Cracker Game.Exe
  • C:\Program Files\Gnucleus\Downloads\Incoming\Matrix Reloaded.Scr
  • C:\Program Files\Gnucleus\Downloads\Matrix Reloaded.Scr
  • C:\Program Files\KMD\My Shared Folder\Matrix Reloaded.Scr
  • C:\Program Files\Bearshare\Shared\Matrix Reloaded.Scr
  • C:\Program Files\Kazaa Lite\My Shared Folder\Matrix Reloaded.Scr
  • C:\Program Files\Kazaa\My Shared Folder\Matrix Reloaded.Scr
  • C:\Program Files\Morpheus\My Shared Folder\Matrix Reloaded.Scr
  • C:\Program Files\Edonkey2000\Incoming\Matrix Reloaded.Scr
  • C:\Program Files\Direct Connect\Received Files\Matrix Reloaded.Scr
  • C:\Program Files\Grokster\My Grokster\Matrix Reloaded.Scr
  • C:\Program Files\Limewire\Shared\Matrix Reloaded.Scr
  • C:\Program Files\Icq\Shared Files\Matrix Reloaded.Scr
Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: 0 – 49
  • Number of Sites: 0 – 2
  • Geographical Distribution: Low
  • Threat Containment: Easy
  • Removal: Moderate

Damage

  • Damage Level: Medium

Distribution

  • Distribution Level: High
Writeup By: John Canavan
Details >W32.Pandem.B.Worm
convert this post to pdf. Tags: ,

Related Virus

"Free Scan W32.Pandem.B.Worm

Print This Virus article Print This Virus article

This entry was posted on Wednesday, January 16th, 2008 at 5:06 am and is filed under Virus. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Comment

You must be logged in to post a comment.