W32/Pandem-B

Aliases	W32.Pandem.B.Worm W32.Squirm@mm
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Protection available since	28 September 2003 09:47:18 (GMT)
Detected by	All Sophos products

Sophos beta program
Register now for our latest beta tests

Endpoint Security and Control 9.0
Small business solutions 4.0

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Delete any unwanted dropped files.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
CPU Manager= <Windows>\CPUMGR.EXE

and delete it if it exists.

Close the registry editor.

More Information

Summary
Action
More Information

W32/Pandem-B is a worm which spreads via email, by copying itself to the shared folders of various peer-to-peer networks (e.g. KaZaA, Morpheus, eDonkey2000) and by via IRC channels.

The worm displays the messages
"Security Patch 329390
Patching system... Wait" and
"Security Patch 329390
Patched. Thanks for using Microsoft Windows".

W32/Pandem-B then drops the file ZLIB.DLL (a legitimate compression plugin) into the Windows system folder and copies itself to the Windows folder as CPUMGR.EXE.

The worm creates the following registry entry to run itself on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
CPU Manager= <Windows>\CPUMGR.EXE

The worm also drops PHOTO.ZIP (a zipped copy of the worm called COOL.SCR), CPUMGR.DLL (an encoded copy of the worm) and PDMN.SMT (a text file containing the SMTP domain) in the Windows folder.

Emails sent by the worm have the following characteristics:

From: support@microsoft.com

Subject line: "Microsoft Security Bulletin"

Message text:
"Unchecked Buffer in Windows Explorer Could Enable System Compromise (329390)

Summary
Who should read this bulletin: Customers using Microsoft Windows 95,98,2K,ME,XP
Impact of vulnerability: Run code of an attackers choice
Maximum Severity Rating: Critical
Recommendation: Customers using Microsoft Windows 95,98,2K,ME,XP should apply
the patch immediately."

Attached file: PATCH.ZIP (containing PATCH_329390.EXE).

W32/Pandem-B also attempts to copy itself to several locations within peer-to-peer shared folders, for example:

c:\program files\gnucleus\downloads\incoming\ICQ Hack.exe
c:\program files\grokster\my grokster\Connection Booster.exe
c:\program files\gnucleus\downloads\incoming\Hotmail Hack.exe
c:\program files\gnucleus\downloads\incoming\Norton keygen-All vers.exe
c:\program files\KaZaa Lite\My Shared Folder\Hacker.scr
c:\program files\KaZaa Lite\My Shared Folder\credit card.exe
c:\program files\BearShare\Shared\Cracks Collections.exe
c:\program files\icq\shared files\Matrix Reloaded.scr

W32/Pandem-B also allows unauthorised access to the computer over a network. The worm listens on port 61282 for commands from a remote attacker.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Pandem-B

Summary

Action

More Information