1. Symantec/
  2. Security Response/
  3. W32.Pandem.B.Worm


Risk Level 2: Low

August 19, 2003
February 13, 2007 12:05:20 PM
Also Known As:
W32.Squirm@mm, W32/Pandem-B [Sophos]
Systems Affected:

W32.Pandem.B.Worm is an Internet worm that is written in C++ and is packed with PEBundle.

This worm attempts to spread using the following methods:
  • By email, it sends itself to the contacts in the Microsoft Outlook Address Book, with the following message:

    From: support@microsoft.com
    Subject: Microsoft Security Bulletin
    Unchecked Buffer in Windows Explorer Could Enable System Compromise (329390)

    Who should read this bulletin: Customers using Microsoft Windows 95,98,2K,ME,XP
    Impact of vulnerability: Run code of an attacker's choice

    Maximum Severity Rating: Critical

    Recommendation: Customers using Microsoft Windows 95,98,2K,ME,XP should apply the patch immediately.

    Attachment: patch.zip or patch_329390.exe

  • Through file-sharing applications, including KaZaA, Morpheus, eDonkey, Grokster, LimeWire, GNucleus, BearShare, Direct Connect, and ICQ: By placing itself in their default shared folders, if the programs are installed.

  • By using DCC, the worm sends in IRC.

The worm sends a notification to its author when a host is infected and listens on port 61282 for a connection.

NOTE: Virus definitions dated prior to August 21, 2003 may detect this threat as W32.Squirm@mm.

The worm may drop the following files:
  • C:\Program Files\Gnucleus\Downloads\Incoming\ICQ Hack.Exe
  • C:\Program Files\Gnucleus\Downloads\ICQ Hack.Exe
  • C:\Program Files\KMD\My Shared Folder\ICQ Hack.Exe
  • C:\Program Files\Bearshare\Shared\ICQ Hack.Exe
  • C:\Program Files\Kazaa Lite\My Shared Folder\ICQ Hack.Exe
  • C:\Program Files\Kazaa\My Shared Folder\ICQ Hack.Exe
  • C:\Program Files\Morpheus\My Shared Folder\ICQ Hack.Exe
  • C:\Program Files\Edonkey2000\Incoming\ICQ Hack.Exe
  • C:\Program Files\Direct Connect\Received Files\ICQ Hack.Exe
  • C:\Program Files\Grokster\My Grokster\ICQ Hack.Exe
  • C:\Program Files\Limewire\Shared\ICQ Hack.Exe
  • C:\Program Files\Icq\Shared Files\ICQ Hack.Exe
  • C:\Program Files\Gnucleus\Downloads\Incoming\Connection Booster.Exe
  • C:\Program Files\Gnucleus\Downloads\Connection Booster.Exe
  • C:\Program Files\KMD\My Shared Folder\Connection Booster.Exe
  • C:\Program Files\Bearshare\Shared\Connection Booster.Exe
  • C:\Program Files\Kazaa Lite\My Shared Folder\Connection Booster.Exe
  • C:\Program Files\Kazaa\My Shared Folder\Connection Booster.Exe
  • C:\Program Files\Morpheus\My Shared Folder\Connection Booster.Exe
  • C:\Program Files\Edonkey2000\Incoming\Connection Booster.Exe
  • C:\Program Files\Direct Connect\Received Files\Connection Booster.Exe
  • C:\Program Files\Grokster\My Grokster\Connection Booster.Exe
  • C:\Program Files\Limewire\Shared\Connection Booster.Exe
  • C:\Program Files\Icq\Shared Files\Connection Booster.Exe
  • C:\Program Files\Gnucleus\Downloads\Incoming\Serials Collections.Exe
  • C:\Program Files\Gnucleus\Downloads\Serials Collections.Exe
  • C:\Program Files\KMD\My Shared Folder\Serials Collections.Exe
  • C:\Program Files\Bearshare\Shared\Serials Collections.Exe
  • C:\Program Files\Kazaa Lite\My Shared Folder\Serials Collections.Exe
  • C:\Program Files\Kazaa\My Shared Folder\Serials Collections.Exe
  • C:\Program Files\Morpheus\My Shared Folder\Serials Collections.Exe
  • C:\Program Files\Edonkey2000\Incoming\Serials Collections.Exe
  • C:\Program Files\Direct Connect\Received Files\Serials Collections.Exe
  • C:\Program Files\Grokster\My Grokster\Serials Collections.Exe
  • C:\Program Files\Limewire\Shared\Serials Collections.Exe
  • C:\Program Files\Icq\Shared Files\Serials Collections.Exe
  • C:\Program Files\Gnucleus\Downloads\Incoming\Hotmail Hack.Exe
  • C:\Program Files\Gnucleus\Downloads\Hotmail Hack.Exe
  • C:\Program Files\KMD\My Shared Folder\Hotmail Hack.Exe
  • C:\Program Files\Bearshare\Shared\Hotmail Hack.Exe
  • C:\Program Files\Kazaa Lite\My Shared Folder\Hotmail Hack.Exe
  • C:\Program Files\Kazaa\My Shared Folder\Hotmail Hack.Exe
  • C:\Program Files\Morpheus\My Shared Folder\Hotmail Hack.Exe
  • C:\Program Files\Edonkey2000\Incoming\Hotmail Hack.Exe
  • C:\Program Files\Direct Connect\Received Files\Hotmail Hack.Exe
  • C:\Program Files\Grokster\My Grokster\Hotmail Hack.Exe
  • C:\Program Files\Limewire\Shared\Hotmail Hack.Exe
  • C:\Program Files\Icq\Shared Files\Hotmail Hack.Exe
  • C:\Program Files\Gnucleus\Downloads\Incoming\Norton Keygen-All Vers.Exe
  • C:\Program Files\Gnucleus\Downloads\Norton Keygen-All Vers.Exe
  • C:\Program Files\KMD\My Shared Folder\Norton Keygen-All Vers.Exe
  • C:\Program Files\Bearshare\Shared\Norton Keygen-All Vers.Exe
  • C:\Program Files\Kazaa Lite\My Shared Folder\Norton Keygen-All Vers.Exe
  • C:\Program Files\Kazaa\My Shared Folder\Norton Keygen-All Vers.Exe
  • C:\Program Files\Morpheus\My Shared Folder\Norton Keygen-All Vers.Exe
  • C:\Program Files\Edonkey2000\Incoming\Norton Keygen-All Vers.Exe
  • C:\Program Files\Direct Connect\Received Files\Norton Keygen-All Vers.Exe
  • C:\Program Files\Grokster\My Grokster\Norton Keygen-All Vers.Exe
  • C:\Program Files\Limewire\Shared\Norton Keygen-All Vers.Exe
  • C:\Program Files\Icq\Shared Files\Norton Keygen-All Vers.Exe
  • C:\Program Files\Gnucleus\Downloads\Incoming\Hacker.Scr
  • C:\Program Files\Gnucleus\Downloads\Hacker.Scr
  • C:\Program Files\KMD\My Shared Folder\Hacker.Scr
  • C:\Program Files\Bearshare\Shared\Hacker.Scr
  • C:\Program Files\Kazaa Lite\My Shared Folder\Hacker.Scr
  • C:\Program Files\Kazaa\My Shared Folder\Hacker.Scr
  • C:\Program Files\Morpheus\My Shared Folder\Hacker.Scr
  • C:\Program Files\Edonkey2000\Incoming\Hacker.Scr
  • C:\Program Files\Direct Connect\Received Files\Hacker.Scr
  • C:\Program Files\Grokster\My Grokster\Hacker.Scr
  • C:\Program Files\Limewire\Shared\Hacker.Scr
  • C:\Program Files\Icq\Shared Files\Hacker.Scr
  • C:\Program Files\Gnucleus\Downloads\Incoming\Credit Card.Exe
  • C:\Program Files\Gnucleus\Downloads\Credit Card.Exe
  • C:\Program Files\KMD\My Shared Folder\Credit Card.Exe
  • C:\Program Files\Bearshare\Shared\Credit Card.Exe
  • C:\Program Files\Kazaa Lite\My Shared Folder\Credit Card.Exe
  • C:\Program Files\Kazaa\My Shared Folder\Credit Card.Exe
  • C:\Program Files\Morpheus\My Shared Folder\Credit Card.Exe
  • C:\Program Files\Edonkey2000\Incoming\Credit Card.Exe
  • C:\Program Files\Direct Connect\Received Files\Credit Card.Exe
  • C:\Program Files\Grokster\My Grokster\Credit Card.Exe
  • C:\Program Files\Limewire\Shared\Credit Card.Exe
  • C:\Program Files\Icq\Shared Files\Credit Card.Exe
  • C:\Program Files\Morpheus\My Shared Folder\Cracks Collections.Exe
  • C:\Program Files\Edonkey2000\Incoming\Cracks Collections.Exe
  • C:\Program Files\Direct Connect\Received Files\Cracks Collections.Exe
  • C:\Program Files\Gnucleus\Downloads\Incoming\Cracks Collections.Exe
  • C:\Program Files\Gnucleus\Downloads\Cracks Collections.Exe
  • C:\Program Files\KMD\My Shared Folder\Cracks Collections.Exe
  • C:\Program Files\Bearshare\Shared\Cracks Collections.Exe
  • C:\Program Files\Kazaa Lite\My Shared Folder\Cracks Collections.Exe
  • C:\Program Files\Kazaa\My Shared Folder\Cracks Collections.Exe
  • C:\Program Files\Grokster\My Grokster\Cracks Collections.Exe
  • C:\Program Files\Limewire\Shared\Cracks Collections.Exe
  • C:\Program Files\Icq\Shared Files\Cracks Collecions.Exe
  • C:\Program Files\Gnucleus\Downloads\Incoming\Simpsons.Exe
  • C:\Program Files\Gnucleus\Downloads\Simpsons.Exe
  • C:\Program Files\KMD\My Shared Folder\Simpsons.Exe
  • C:\Program Files\Bearshare\Shared\Simpsons.Exe
  • C:\Program Files\Kazaa Lite\My Shared Folder\Simpsons.Exe
  • C:\Program Files\Kazaa\My Shared Folder\Simpsons.Exe
  • C:\Program Files\Morpheus\My Shared Folder\Simpsons.Exe
  • C:\Program Files\Edonkey2000\Incoming\Simpsons.Exe
  • C:\Program Files\Direct Connect\Received Files\Simpsons.Exe
  • C:\Program Files\Grokster\My Grokster\Simpsons.Exe
  • C:\Program Files\Limewire\Shared\Simpsons.Exe
  • C:\Program Files\Icq\Shared Files\Simpsons.Exe
  • C:\Program Files\Gnucleus\Downloads\Incoming\XXX Virtual Sex.Scr
  • C:\Program Files\Gnucleus\Downloads\XXX Virtual Sex.Scr
  • C:\Program Files\KMD\My Shared Folder\XXX Virtual Sex.Scr
  • C:\Program Files\Bearshare\Shared\XXX Virtual Sex.Scr
  • C:\Program Files\Kazaa Lite\My Shared Folder\XXX Virtual Sex.Scr
  • C:\Program Files\Kazaa\My Shared Folder\XXX Virtual Sex.Scr
  • C:\Program Files\Morpheus\My Shared Folder\XXX Virtual Sex.Scr
  • C:\Program Files\Edonkey2000\Incoming\XXX Virtual Sex.Scr
  • C:\Program Files\Direct Connect\Received Files\XXX Virtual Sex.Scr
  • C:\Program Files\Grokster\My Grokster\XXX Virtual Sex.Scr
  • C:\Program Files\Limewire\Shared\XXX Virtual Sex.Scr
  • C:\Program Files\Icq\Shared Files\XXX Virtual Sex.Scr
  • C:\Program Files\Gnucleus\Downloads\Incoming\Cracker Game.Exe
  • C:\Program Files\Gnucleus\Downloads\Cracker Game.Exe
  • C:\Program Files\KMD\My Shared Folder\Cracker Game.Exe
  • C:\Program Files\Bearshare\Shared\Cracker Game.Exe
  • C:\Program Files\Kazaa Lite\My Shared Folder\Cracker Game.Exe
  • C:\Program Files\Kazaa\My Shared Folder\Cracker Game.Exe
  • C:\Program Files\Morpheus\My Shared Folder\Cracker Game.Exe
  • C:\Program Files\Edonkey2000\Incoming\Cracker Game.Exe
  • C:\Program Files\Direct Connect\Received Files\Cracker Game.Exe
  • C:\Program Files\Grokster\My Grokster\Cracker Game.Exe
  • C:\Program Files\Limewire\Shared\Cracker Game.Exe
  • C:\Program Files\Icq\Shared Files\Cracker Game.Exe
  • C:\Program Files\Gnucleus\Downloads\Incoming\Matrix Reloaded.Scr
  • C:\Program Files\Gnucleus\Downloads\Matrix Reloaded.Scr
  • C:\Program Files\KMD\My Shared Folder\Matrix Reloaded.Scr
  • C:\Program Files\Bearshare\Shared\Matrix Reloaded.Scr
  • C:\Program Files\Kazaa Lite\My Shared Folder\Matrix Reloaded.Scr
  • C:\Program Files\Kazaa\My Shared Folder\Matrix Reloaded.Scr
  • C:\Program Files\Morpheus\My Shared Folder\Matrix Reloaded.Scr
  • C:\Program Files\Edonkey2000\Incoming\Matrix Reloaded.Scr
  • C:\Program Files\Direct Connect\Received Files\Matrix Reloaded.Scr
  • C:\Program Files\Grokster\My Grokster\Matrix Reloaded.Scr
  • C:\Program Files\Limewire\Shared\Matrix Reloaded.Scr
  • C:\Program Files\Icq\Shared Files\Matrix Reloaded.Scr

Antivirus Protection Dates

  • Initial Rapid Release version August 20, 2003
  • Latest Rapid Release version August 8, 2016 revision 023
  • Initial Daily Certified version August 20, 2003
  • Latest Daily Certified version August 9, 2016 revision 001
  • Initial Weekly Certified release date August 20, 2003
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: John Canavan

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube