W32.Pandem.B.Worm is an Internet worm that is written in C++ and is packed with PEBundle. It attempts to spread using the following methods:
By email, it sends itself to the contacts in the Microsoft Outlook Address Book, with the following message:
From:
support@microsoft.com
Subject: Microsoft Security Bulletin
Message:
Unchecked Buffer in Windows Explorer Could Enable System Compromise (329390)
Summary
Who should read this bulletin: Customers using Microsoft Windows 95,98,2K,ME,XP
Impact of vulnerability: Run code of an attacker's choice
Maximum Severity Rating: Critical
Recommendation: Customers using Microsoft Windows 95,98,2K,ME,XP should apply the patch immediately.
Attachment: patch.zip or patch_329390.exe
Through file sharing applications, including KaZaA, Morpheus, eDonkey, Grokster, LimeWire, GNucleus, BearShare, Direct Connect, and ICQ, by placing itself in their default shared folders, if the programs are installed.
By using DCC, the worm sends in IRC.
The worm sends a notification to its author when a host is infected and listens on port 61282 for a connection.
NOTE: Virus definitions dated prior to August 21, 2003 may detect this threat as W32.Squirm@mm.
Also Known As: W32.Squirm@mm
Infection Length: 104,448
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: Linux, Macintosh, Microsoft IIS, OS/2, UNIX, Windows 3.x
THREAT ASSESSMENT
Wild:
Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Moderate
Damage
Payload:
Large scale e-mailing: Sends itself, posing as
support@microsoft.com.
Degrades performance: When running, the worm can hog system resources, seriously slowing the host machine.
Compromises security settings: Listens on port 61282 for remote connections.
Distribution
Subject of email: Microsoft Security Bulletin
TECHNICAL DETAILS
When W32.Pandem.B.Worm is executed, it performs the following actions:
Drops the file, %Windir%\Zlib.dll, which is a legitimate compression utility.
NOTE: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
Starts listening on port 61282 for a connection from the worm's author.
Displays the following dialog box:
(sry couldnt attach image properly)
When you click OK, the worm adds the value:
"CPU Manager" = "%Windir%\cpumgr.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and the value:
"Type"="High"
to the key:
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows
Drops the files:
%Windir%\Cpumgr.dll: An encoded copy of the worm.
%Windir%\Cpumgr.exe: The worm's executable.
%Windir%\Pdmn.smt: A file containing information about the local computer.
%Windir%\Photo.zip: A zip file containing a copy of the worm.
Displays the following dialog box:
(sry couldnt attach image properly)
When you click OK, the worm remains memory-resident, and after a period of time, it drops files to the default shared folders of some popular file-sharing program. For a complete list of the paths and filenames, see the "Additional Information" section.
Attempts to contact
www.google.com to check for Internet connectivity.
If this check succeeds, the worm attempts to mail itself with the message:
From:
support@microsoft.com
Subject: Microsoft Security Bulletin
Message:
Unchecked Buffer in Windows Explorer Could Enable System Compromise (329390)
Summary
Who should read this bulletin: Customers using Microsoft Windows 95,98,2K,ME,XP
Impact of vulnerability: Run code of an attacker's choice
Maximum Severity Rating: Critical
Recommendation: Customers using Microsoft Windows 95,98,2K,ME,XP should apply the patch immediately.
Attachment: patch.zip or patch_329390.exe
Attempts to send a message to the author notifying him/her of the newly infected host.
![BD]Hobbit is offline](/images/statusicon/user-offline.png)
*heads up* W32.Pandem.B.Worm
Reply With Quote