Systweak Spyware Library
Systweak Spyware Library text
More than 21875 spyware signatures and growing
Microsoft Gold Certified Partner
Search in:
Worm-Email.pandem Analysis Report
Threat Submitted On: 9/18/2008 7:22:22 PM
Threat Analysed On: 9/19/2008 12:22:22 AM
Threat Updated On: 1/27/2011 9:46:05 PM
Type : Worm-Email
Symptoms of pandem
  • Spreads through the opening of infected e-mail attachments.
  • Sends a copy of itself to all the contacts of the user’s address book.
  • Sometimes has dire results like affecting the hard disk and threat to privacy.
Information
Alias : email-worm.win32.pandem.b
Md5 Hash : [ee5711879bc6f2cb5a0ba2e73a92445a]
File Size : (79872 bytes)

Technical Details

Here are the Technical findings of our analysis team after analyzing this malware in detail :-

Creates the following infected Files on user's System
Note:
Delete the following Files to remove Infection
File: cracker game.exe
Path : %programfiles%\bearshare\shared

Md5Hash :( bytes)
File: credit card.exe
Path : %programfiles%\bearshare\shared

Md5Hash :( bytes)
File: matrix reloaded.scr
Path : %programfiles%\bearshare\shared

Md5Hash :( bytes)
File: simpsons.exe
Path : %programfiles%\bearshare\shared

Md5Hash :( bytes)
File: cracker game.exe
Path : %programfiles%\edonkey2000\incoming

Md5Hash :( bytes)
File: credit card.exe
Path : %programfiles%\edonkey2000\incoming

Md5Hash :( bytes)
File: hacker.scr
Path : %programfiles%\edonkey2000\incoming

Md5Hash :( bytes)
File: simpsons.exe
Path : %programfiles%\edonkey2000\incoming

Md5Hash :( bytes)
File: cracker game.exe
Path : %programfiles%\grokster\my grokster

Md5Hash :( bytes)
File: hotmail hack.exe
Path : %programfiles%\grokster\my grokster

Md5Hash :( bytes)
File: simpsons.exe
Path : %programfiles%\grokster\my grokster

Md5Hash :( bytes)
File: matrix reloaded.scr
Path : %programfiles%\icq\shared files

Md5Hash :( bytes)
File: hacker.scr
Path : %programfiles%\kazaa\my shared folder

Md5Hash :( bytes)
File: simpsons.exe
Path : %programfiles%\kazaa\my shared folder

Md5Hash :( bytes)
File: matrix reloaded.scr
Path : %programfiles%\limewire\shared

Md5Hash :( bytes)
File: lnhsvc.exe
Path : %windir%

Md5Hash :ee5711879bc6f2cb5a0ba2e73a92445a ( 79872 bytes)
File: wnsock32.dll
Path : %windir%

Md5Hash :f4bcae009eb3fb70da95ed435c65d52f ( 67825 bytes)
File: wnsock32.sys
Path : %windir%

Md5Hash :e5a32351a6802ef0291ac7c4529588da ( 10 bytes)
File: wnsock32.zip
Path : %windir%

Md5Hash :8fbfa5b1a5e216135c76d8b0a1be4be2 ( bytes)
File: [randomname].exe
Path : %workingdir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
6682b683d33a3facc310a11980abf197 ( 319488 bytes)
8e5339d42041863f0fb8305843de1d98 ( 90112 bytes)
b46610474327b302064c027801799109 ( 104448 bytes)
ee5711879bc6f2cb5a0ba2e73a92445a ( 79872 bytes)
The following Registry Values are added to the provided Registry Keys :-
Note:
Delete the added Values from the Key to remove Infection
|__ Value Added :
System's Shield = "%WINDIR%\lnhsvc.exe"
Copies the Following Files to Given Location :-

Copies :%workingdir%\[random name].exe

To : %windir%\lnhsvc.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\icq\shared files\matrix reloaded.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\limewire\shared\matrix reloaded.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\grokster\my grokster\matrix reloaded.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\direct connect\received files\matrix reloaded.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\edonkey2000\incoming\matrix reloaded.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\morpheus\my shared folder\matrix reloaded.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\kazaa\my shared folder\matrix reloaded.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\kazaa lite\my shared folder\matrix reloaded.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\bearshare\shared\matrix reloaded.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\kmd\my shared folder\matrix reloaded.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\gnucleus\downloads\matrix reloaded.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\gnucleus\downloads\incoming\matrix reloaded.scr%programfiles%\icq\shared files\cracker game.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\limewire\shared\cracker game.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\grokster\my grokster\cracker game.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\direct connect\received files\cracker game.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\edonkey2000\incoming\cracker game.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\morpheus\my shared folder\cracker game.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\kazaa\my shared folder\cracker game.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\kazaa lite\my shared folder\cracker game.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\bearshare\shared\cracker game.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\kmd\my shared folder\cracker game.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\gnucleus\downloads\cracker game.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\gnucleus\downloads\incoming\cracker game.exe%programfiles%\icq\shared files\xxx virtual sex.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\limewire\shared\xxx virtual sex.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\grokster\my grokster\xxx virtual sex.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\direct connect\received files\xxx virtual sex.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\edonkey2000\incoming\xxx virtual sex.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\morpheus\my shared folder\xxx virtual sex.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\kazaa\my shared folder\xxx virtual sex.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\kazaa lite\my shared folder\xxx virtual sex.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\bearshare\shared\xxx virtual sex.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\kmd\my shared folder\xxx virtual sex.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\gnucleus\downloads\xxx virtual sex.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\gnucleus\downloads\incoming\xxx virtual sex.scr%programfiles%\icq\shared files\simpsons.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\limewire\shared\simpsons.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\grokster\my grokster\simpsons.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\direct connect\received files\simpsons.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\edonkey2000\incoming\simpsons.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\morpheus\my shared folder\simpsons.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\kazaa\my shared folder\simpsons.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\kazaa lite\my shared folder\simpsons.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\bearshare\shared\simpsons.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\kmd\my shared folder\simpsons.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\gnucleus\downloads\simpsons.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\gnucleus\downloads\incoming\simpsons.exe%programfiles%\icq\shared files\microsoft nuker 2003.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\limewire\shared\microsoft nuker 2003.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\grokster\my grokster\microsoft nuker 2003.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\direct connect\received files\microsoft nuker 2003.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\edonkey2000\incoming\microsoft nuker 2003.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\morpheus\my shared folder\microsoft nuker 2003.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\kazaa\my shared folder\microsoft nuker 2003.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\kazaa lite\my shared folder\microsoft nuker 2003.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\bearshare\shared\microsoft nuker 2003.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\kmd\my shared folder\microsoft nuker 2003.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\gnucleus\downloads\microsoft nuker 2003.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\gnucleus\downloads\incoming\microsoft nuker 2003.exe%programfiles%\icq\shared files\credit card.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\limewire\shared\credit card.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\grokster\my grokster\credit card.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\direct connect\received files\credit card.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\edonkey2000\incoming\credit card.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\morpheus\my shared folder\credit card.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\kazaa\my shared folder\credit card.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\kazaa lite\my shared folder\credit card.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\bearshare\shared\credit card.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\kmd\my shared folder\credit card.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\gnucleus\downloads\credit card.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\gnucleus\downloads\incoming\credit card.exe%programfiles%\icq\shared files\hacker.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\limewire\shared\hacker.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\grokster\my grokster\hacker.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\direct connect\received files\hacker.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\edonkey2000\incoming\hacker.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\morpheus\my shared folder\hacker.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\kazaa\my shared folder\hacker.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\kazaa lite\my shared folder\hacker.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\bearshare\shared\hacker.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\kmd\my shared folder\hacker.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\gnucleus\downloads\hacker.scr

Copies :%workingdir%\[random name].exe

To : %programfiles%\gnucleus\downloads\incoming\hacker.scr%programfiles%\icq\shared files\norton keygen-all vers.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\limewire\shared\norton keygen-all vers.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\grokster\my grokster\norton keygen-all vers.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\direct connect\received files\norton keygen-all vers.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\edonkey2000\incoming\norton keygen-all vers.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\morpheus\my shared folder\norton keygen-all vers.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\kazaa\my shared folder\norton keygen-all vers.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\kazaa lite\my shared folder\norton keygen-all vers.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\bearshare\shared\norton keygen-all vers.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\kmd\my shared folder\norton keygen-all vers.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\gnucleus\downloads\norton keygen-all vers.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\gnucleus\downloads\incoming\norton keygen-all vers.exe%programfiles%\icq\shared files\hotmail hack.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\limewire\shared\hotmail hack.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\grokster\my grokster\hotmail hack.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\direct connect\received files\hotmail hack.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\edonkey2000\incoming\hotmail hack.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\morpheus\my shared folder\hotmail hack.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\kazaa\my shared folder\hotmail hack.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\kazaa lite\my shared folder\hotmail hack.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\bearshare\shared\hotmail hack.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\kmd\my shared folder\hotmail hack.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\gnucleus\downloads\hotmail hack.exe

Copies :%workingdir%\[random name].exe

To : %programfiles%\gnucleus\downloads\incoming\hotmail hack.exe

NOTE:

1. %programfiles% Refers to the program files folder. By default it is 'C:\Program Files'
2. %windir% Refers to the windows root folder. By default it is 'C:\Windows'
3. %workingdir% Refers to the current directory in which user is working.

Important: We strongly recommend that you backup the Registry before making any changes to it. Incorrect changes to the Registry can result in permanent data loss or corrupted Files. Modify the malicious\suspicious Subkeys only.

Click Here for more spywarelib.com recommended PC Security and Optimization Tools

To modify registry entries in Windows Operating System:
Follow Steps:
1. Click Start > Run
2. Type “regedit” : to open registry editor
3. Navigate to required registry Key from the Left Tree control and modify accordingly.


Microsoft Gold Certified Partner

© Systweak Inc., 1999-2011 All rights reserved.