Pac is a new P2P (peer-to-peer) worm, backdoor and DoS (Denial of Service) attack tool. We got first reports about it in the middle of February. The worm travels from one system to another as a EXE bundle that acts as a dropper. When the dropper is run, it activates the embedded P2P worm. The worm installs itself to system as SYSTEM32.EXE file. It sets a hidden attribute to its file.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
To remove the worm it's enough to delete all its files from a hard drive.
To start its file during every Windows session, the worm creates the following startup keys for it in the Registry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "SystemSAS" = "system32.exe" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "SystemSAS" = "system32.exe"
Being active the worm copies itself to shared folders of popular file sharing clients Kazaa and iMesh with the following name:
Battlefield1942_bloodpatch.exe Unreal2_bloodpatch.exe UT2003_bloodpatch.exe AquaNox2 Crack.exe NBA2003_crack.exe FIFA2003 crack.exe C&C; Generals_crack.exe UT2003_keygen.exe UT2003_no cd (crack).exe Age of Empires 2 crack.exe Anno 1503_crack.exe C&C; Renegade_crack.exe Diablo 2 Crack.exe Gothic 2 licence.exe GTA 3 Crack.exe GTA 3 patch (no cd).exe Hitman_2_no_cd_crack.exe Mafia_crack.exe Neverwinter_Nights_licence.exe NHL 2003 crack.exe WarCraft_3_crack.exe Splinter_Cell_Crack.exe Battlefield1942_keygen.exe Winamp 3.8.exe MediaPlayer Update.exe UT2003_patch.exe ACDSee 5.5.exe DivX Video Bundle 6.5.exe Global DiVX Player 3.0.exe QuickTime_Pro_Crack.exe KaZaA Lite (New).exe iMesh 3.7b (beta).exe iMesh 3.6.exe KaZaA Hack 2.5.0.exe DirectDVD 5.0.exe Flash MX crack (trial).exe Ad-aware 6.5.exe WinZip 9.0b.exe SmartFTP 2.0.0.exe ICQ Lite (new).exe ICQ Pro 2003b (new beta).exe ICQ Pro 2003a.exe AOL Instant Messenger.exe Download Accelerator Plus 6.1.exe Trillian 0.85 (free).exe MSN Messenger 5.2.exe Network Cable e ADSL Speed 2.0.5.exe mIRC 6.40.exe GetRight 5.0a.exe Pop-Up Stopper 3.5.exe Yahoo Messenger 6.0.exe KaZaA Speedup 3.6.exe Nero Burning ROM crack.exe WindowBlinds 4.0.exe Animated Screen 7.0b.exe Living Waterfalls 1.3.exe Matrix Screensaver 1.5.exe Popup Defender 6.5.exe Space Invaders 1978.exe SmartRipper v2.7.exe TweakAll 3.8.exe DVD Copy Plus v5.0.exe Serials 2003 v.8.0 Full.exe Zelda Classic 2.00.exe Need 4 Speed crack.exe Links 2003 Golf game (crack).exe Netfast 1.8.exe Guitar Chords Library 5.5.exe DVD Region-Free 2.3.exe Cool Edit Pro v2.55.exe Coffee Cup Free HTML 7.0b.exe Clone CD 5.0.0.3.exe Clone CD 5.0.0.3 (crack).exe Nimo CodecPack (new) 8.0.exe Business Card Designer Plus 7.9.exe Steinberg_WaveLab_5_crack.exe Hot Babes XXX Screen Saver.exe FreeRAM XP Pro 1.9.exe IrfanView 4.5.exe Audiograbber 2.05.exe WinOnCD 4 PE_crack.exe Final Fantasy VII XP Patch 1.5.exe BabeFest 2003 ScreenSaver 1.5.exe PalTalk 5.01b.exe DirectX Buster (all versions).exe DirectX InfoTool.exe Unreal2_crack.exe FlashGet 1.5.exe Babylon 3.50b reg_crack.exe mp3Trim PRO 2.5.exe
The worm changes the size of its files to make them match (to some extent of course) the size of software packages it tries to fake. Anyone connecting with Kazaa or iMesh client to an infected computer will discover these fake files. If at least one of these files is downloaded and executed by another person, his computer also becomes infected.
The worm has backdoor capabilities. It is controlled via a bot that the worm creates in the specific channel on an IRC server. A hacker can obtain system information, upload, download, execute files on an infected system and update the worm's file to a newer version.
The worm can be used to perform a DoS (Denial of Service) attack. It can perform a SYN flood attack.
F-Secure Anti-Virus detects the worm with the latest updates.