1. /
  2. Security Response/
  3. W32.Pandem.B.Worm

W32.Pandem.B.Worm

Risk Level 2: Low

Discovered:
August 19, 2003
Updated:
February 13, 2007 12:05:20 PM
Also Known As:
W32.Squirm@mm, W32/Pandem-B [Sophos]
Type:
Worm
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

W32.Pandem.B.Worm is an Internet worm that is written in C++ and is packed with PEBundle.

This worm attempts to spread using the following methods:
  • By email, it sends itself to the contacts in the Microsoft Outlook Address Book, with the following message:

    From: support@microsoft.com
    Subject: Microsoft Security Bulletin
    Message:
    Unchecked Buffer in Windows Explorer Could Enable System Compromise (329390)

    Summary
    Who should read this bulletin: Customers using Microsoft Windows 95,98,2K,ME,XP
    Impact of vulnerability: Run code of an attacker's choice

    Maximum Severity Rating: Critical

    Recommendation: Customers using Microsoft Windows 95,98,2K,ME,XP should apply the patch immediately.

    Attachment: patch.zip or patch_329390.exe

  • Through file-sharing applications, including KaZaA, Morpheus, eDonkey, Grokster, LimeWire, GNucleus, BearShare, Direct Connect, and ICQ: By placing itself in their default shared folders, if the programs are installed.

  • By using DCC, the worm sends in IRC.

The worm sends a notification to its author when a host is infected and listens on port 61282 for a connection.

NOTE: Virus definitions dated prior to August 21, 2003 may detect this threat as W32.Squirm@mm.



The worm may drop the following files:
  • C:\Program Files\Gnucleus\Downloads\Incoming\ICQ Hack.Exe
  • C:\Program Files\Gnucleus\Downloads\ICQ Hack.Exe
  • C:\Program Files\KMD\My Shared Folder\ICQ Hack.Exe
  • C:\Program Files\Bearshare\Shared\ICQ Hack.Exe
  • C:\Program Files\Kazaa Lite\My Shared Folder\ICQ Hack.Exe
  • C:\Program Files\Kazaa\My Shared Folder\ICQ Hack.Exe
  • C:\Program Files\Morpheus\My Shared Folder\ICQ Hack.Exe
  • C:\Program Files\Edonkey2000\Incoming\ICQ Hack.Exe
  • C:\Program Files\Direct Connect\Received Files\ICQ Hack.Exe
  • C:\Program Files\Grokster\My Grokster\ICQ Hack.Exe
  • C:\Program Files\Limewire\Shared\ICQ Hack.Exe
  • C:\Program Files\Icq\Shared Files\ICQ Hack.Exe
  • C:\Program Files\Gnucleus\Downloads\Incoming\Connection Booster.Exe
  • C:\Program Files\Gnucleus\Downloads\Connection Booster.Exe
  • C:\Program Files\KMD\My Shared Folder\Connection Booster.Exe
  • C:\Program Files\Bearshare\Shared\Connection Booster.Exe
  • C:\Program Files\Kazaa Lite\My Shared Folder\Connection Booster.Exe
  • C:\Program Files\Kazaa\My Shared Folder\Connection Booster.Exe
  • C:\Program Files\Morpheus\My Shared Folder\Connection Booster.Exe
  • C:\Program Files\Edonkey2000\Incoming\Connection Booster.Exe
  • C:\Program Files\Direct Connect\Received Files\Connection Booster.Exe
  • C:\Program Files\Grokster\My Grokster\Connection Booster.Exe
  • C:\Program Files\Limewire\Shared\Connection Booster.Exe
  • C:\Program Files\Icq\Shared Files\Connection Booster.Exe
  • C:\Program Files\Gnucleus\Downloads\Incoming\Serials Collections.Exe
  • C:\Program Files\Gnucleus\Downloads\Serials Collections.Exe
  • C:\Program Files\KMD\My Shared Folder\Serials Collections.Exe
  • C:\Program Files\Bearshare\Shared\Serials Collections.Exe
  • C:\Program Files\Kazaa Lite\My Shared Folder\Serials Collections.Exe
  • C:\Program Files\Kazaa\My Shared Folder\Serials Collections.Exe
  • C:\Program Files\Morpheus\My Shared Folder\Serials Collections.Exe
  • C:\Program Files\Edonkey2000\Incoming\Serials Collections.Exe
  • C:\Program Files\Direct Connect\Received Files\Serials Collections.Exe
  • C:\Program Files\Grokster\My Grokster\Serials Collections.Exe
  • C:\Program Files\Limewire\Shared\Serials Collections.Exe
  • C:\Program Files\Icq\Shared Files\Serials Collections.Exe
  • C:\Program Files\Gnucleus\Downloads\Incoming\Hotmail Hack.Exe
  • C:\Program Files\Gnucleus\Downloads\Hotmail Hack.Exe
  • C:\Program Files\KMD\My Shared Folder\Hotmail Hack.Exe
  • C:\Program Files\Bearshare\Shared\Hotmail Hack.Exe
  • C:\Program Files\Kazaa Lite\My Shared Folder\Hotmail Hack.Exe
  • C:\Program Files\Kazaa\My Shared Folder\Hotmail Hack.Exe
  • C:\Program Files\Morpheus\My Shared Folder\Hotmail Hack.Exe
  • C:\Program Files\Edonkey2000\Incoming\Hotmail Hack.Exe
  • C:\Program Files\Direct Connect\Received Files\Hotmail Hack.Exe
  • C:\Program Files\Grokster\My Grokster\Hotmail Hack.Exe
  • C:\Program Files\Limewire\Shared\Hotmail Hack.Exe
  • C:\Program Files\Icq\Shared Files\Hotmail Hack.Exe
  • C:\Program Files\Gnucleus\Downloads\Incoming\Norton Keygen-All Vers.Exe
  • C:\Program Files\Gnucleus\Downloads\Norton Keygen-All Vers.Exe
  • C:\Program Files\KMD\My Shared Folder\Norton Keygen-All Vers.Exe
  • C:\Program Files\Bearshare\Shared\Norton Keygen-All Vers.Exe
  • C:\Program Files\Kazaa Lite\My Shared Folder\Norton Keygen-All Vers.Exe
  • C:\Program Files\Kazaa\My Shared Folder\Norton Keygen-All Vers.Exe
  • C:\Program Files\Morpheus\My Shared Folder\Norton Keygen-All Vers.Exe
  • C:\Program Files\Edonkey2000\Incoming\Norton Keygen-All Vers.Exe
  • C:\Program Files\Direct Connect\Received Files\Norton Keygen-All Vers.Exe
  • C:\Program Files\Grokster\My Grokster\Norton Keygen-All Vers.Exe
  • C:\Program Files\Limewire\Shared\Norton Keygen-All Vers.Exe
  • C:\Program Files\Icq\Shared Files\Norton Keygen-All Vers.Exe
  • C:\Program Files\Gnucleus\Downloads\Incoming\Hacker.Scr
  • C:\Program Files\Gnucleus\Downloads\Hacker.Scr
  • C:\Program Files\KMD\My Shared Folder\Hacker.Scr
  • C:\Program Files\Bearshare\Shared\Hacker.Scr
  • C:\Program Files\Kazaa Lite\My Shared Folder\Hacker.Scr
  • C:\Program Files\Kazaa\My Shared Folder\Hacker.Scr
  • C:\Program Files\Morpheus\My Shared Folder\Hacker.Scr
  • C:\Program Files\Edonkey2000\Incoming\Hacker.Scr
  • C:\Program Files\Direct Connect\Received Files\Hacker.Scr
  • C:\Program Files\Grokster\My Grokster\Hacker.Scr
  • C:\Program Files\Limewire\Shared\Hacker.Scr
  • C:\Program Files\Icq\Shared Files\Hacker.Scr
  • C:\Program Files\Gnucleus\Downloads\Incoming\Credit Card.Exe
  • C:\Program Files\Gnucleus\Downloads\Credit Card.Exe
  • C:\Program Files\KMD\My Shared Folder\Credit Card.Exe
  • C:\Program Files\Bearshare\Shared\Credit Card.Exe
  • C:\Program Files\Kazaa Lite\My Shared Folder\Credit Card.Exe
  • C:\Program Files\Kazaa\My Shared Folder\Credit Card.Exe
  • C:\Program Files\Morpheus\My Shared Folder\Credit Card.Exe
  • C:\Program Files\Edonkey2000\Incoming\Credit Card.Exe
  • C:\Program Files\Direct Connect\Received Files\Credit Card.Exe
  • C:\Program Files\Grokster\My Grokster\Credit Card.Exe
  • C:\Program Files\Limewire\Shared\Credit Card.Exe
  • C:\Program Files\Icq\Shared Files\Credit Card.Exe
  • C:\Program Files\Morpheus\My Shared Folder\Cracks Collections.Exe
  • C:\Program Files\Edonkey2000\Incoming\Cracks Collections.Exe
  • C:\Program Files\Direct Connect\Received Files\Cracks Collections.Exe
  • C:\Program Files\Gnucleus\Downloads\Incoming\Cracks Collections.Exe
  • C:\Program Files\Gnucleus\Downloads\Cracks Collections.Exe
  • C:\Program Files\KMD\My Shared Folder\Cracks Collections.Exe
  • C:\Program Files\Bearshare\Shared\Cracks Collections.Exe
  • C:\Program Files\Kazaa Lite\My Shared Folder\Cracks Collections.Exe
  • C:\Program Files\Kazaa\My Shared Folder\Cracks Collections.Exe
  • C:\Program Files\Grokster\My Grokster\Cracks Collections.Exe
  • C:\Program Files\Limewire\Shared\Cracks Collections.Exe
  • C:\Program Files\Icq\Shared Files\Cracks Collecions.Exe
  • C:\Program Files\Gnucleus\Downloads\Incoming\Simpsons.Exe
  • C:\Program Files\Gnucleus\Downloads\Simpsons.Exe
  • C:\Program Files\KMD\My Shared Folder\Simpsons.Exe
  • C:\Program Files\Bearshare\Shared\Simpsons.Exe
  • C:\Program Files\Kazaa Lite\My Shared Folder\Simpsons.Exe
  • C:\Program Files\Kazaa\My Shared Folder\Simpsons.Exe
  • C:\Program Files\Morpheus\My Shared Folder\Simpsons.Exe
  • C:\Program Files\Edonkey2000\Incoming\Simpsons.Exe
  • C:\Program Files\Direct Connect\Received Files\Simpsons.Exe
  • C:\Program Files\Grokster\My Grokster\Simpsons.Exe
  • C:\Program Files\Limewire\Shared\Simpsons.Exe
  • C:\Program Files\Icq\Shared Files\Simpsons.Exe
  • C:\Program Files\Gnucleus\Downloads\Incoming\XXX Virtual Sex.Scr
  • C:\Program Files\Gnucleus\Downloads\XXX Virtual Sex.Scr
  • C:\Program Files\KMD\My Shared Folder\XXX Virtual Sex.Scr
  • C:\Program Files\Bearshare\Shared\XXX Virtual Sex.Scr
  • C:\Program Files\Kazaa Lite\My Shared Folder\XXX Virtual Sex.Scr
  • C:\Program Files\Kazaa\My Shared Folder\XXX Virtual Sex.Scr
  • C:\Program Files\Morpheus\My Shared Folder\XXX Virtual Sex.Scr
  • C:\Program Files\Edonkey2000\Incoming\XXX Virtual Sex.Scr
  • C:\Program Files\Direct Connect\Received Files\XXX Virtual Sex.Scr
  • C:\Program Files\Grokster\My Grokster\XXX Virtual Sex.Scr
  • C:\Program Files\Limewire\Shared\XXX Virtual Sex.Scr
  • C:\Program Files\Icq\Shared Files\XXX Virtual Sex.Scr
  • C:\Program Files\Gnucleus\Downloads\Incoming\Cracker Game.Exe
  • C:\Program Files\Gnucleus\Downloads\Cracker Game.Exe
  • C:\Program Files\KMD\My Shared Folder\Cracker Game.Exe
  • C:\Program Files\Bearshare\Shared\Cracker Game.Exe
  • C:\Program Files\Kazaa Lite\My Shared Folder\Cracker Game.Exe
  • C:\Program Files\Kazaa\My Shared Folder\Cracker Game.Exe
  • C:\Program Files\Morpheus\My Shared Folder\Cracker Game.Exe
  • C:\Program Files\Edonkey2000\Incoming\Cracker Game.Exe
  • C:\Program Files\Direct Connect\Received Files\Cracker Game.Exe
  • C:\Program Files\Grokster\My Grokster\Cracker Game.Exe
  • C:\Program Files\Limewire\Shared\Cracker Game.Exe
  • C:\Program Files\Icq\Shared Files\Cracker Game.Exe
  • C:\Program Files\Gnucleus\Downloads\Incoming\Matrix Reloaded.Scr
  • C:\Program Files\Gnucleus\Downloads\Matrix Reloaded.Scr
  • C:\Program Files\KMD\My Shared Folder\Matrix Reloaded.Scr
  • C:\Program Files\Bearshare\Shared\Matrix Reloaded.Scr
  • C:\Program Files\Kazaa Lite\My Shared Folder\Matrix Reloaded.Scr
  • C:\Program Files\Kazaa\My Shared Folder\Matrix Reloaded.Scr
  • C:\Program Files\Morpheus\My Shared Folder\Matrix Reloaded.Scr
  • C:\Program Files\Edonkey2000\Incoming\Matrix Reloaded.Scr
  • C:\Program Files\Direct Connect\Received Files\Matrix Reloaded.Scr
  • C:\Program Files\Grokster\My Grokster\Matrix Reloaded.Scr
  • C:\Program Files\Limewire\Shared\Matrix Reloaded.Scr
  • C:\Program Files\Icq\Shared Files\Matrix Reloaded.Scr


Antivirus Protection Dates

  • Initial Rapid Release version August 20, 2003
  • Latest Rapid Release version March 3, 2013 revision 007
  • Initial Daily Certified version August 20, 2003
  • Latest Daily Certified version March 3, 2013 revision 009
  • Initial Weekly Certified release date August 20, 2003
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: 0 - 49
  • Number of Sites: 0 - 2
  • Geographical Distribution: Low
  • Threat Containment: Easy
  • Removal: Moderate

Damage

  • Damage Level: Medium

Distribution

  • Distribution Level: High
Writeup By: John Canavan

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver