McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

W32/Panoil.d@MM

This page shows details and results of our analysis on the malware W32/Panoil.d@MM

Threat Detail

Malware Type: Virus

Malware Sub-type: Internet Worm

Discovery Date: 2003-09-22

Next Steps:

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum DAT

4295 (2003-09-24)

Updated DAT

4295 (2003-09-24)

 Minimum Engine

5.1.00

File Length

44,544 bytes

 Description Added

2003-09-23

Description Modified

2003-10-06

Malware Proliferation

Characteristics

Proactive detection: Products running the 4.2.40 engine with the DAT files 4253 or greater detect this threat as "virus or variant W32/Generic.a@MM" (with scanning of compressed files enabled).

This is detected exactly as W32/Generic.a@MM with the 4295 DATs and higher.

This virus has the ability of spreading via Email, Kazza file sharing network and MIRC.

When  executed this worm installs itself onto the victim machine as

  • C:\Hacker_Hunter.exe.exe
  • %Windir%\Hunter.exe

(where %WinDir% represents the Windows directory)

The following Registry key is set to hook system startup:

  • HKEY_LOCAL_MACHINE\Software\Microsft\Windows\CurrentVersion\Run\
    "SecurityFix" = %WinDir%\Hunter.exe

The worm will modify the Internet Explorer start page setting in the registry to point to a website for a university in Turkey.

  • HKEY_LOCAL_MACHINE\Software\Microsft\Windows\CurrentVersion\Run\
    "Start Page" = http :// www. ankara.edu.tr

Mail Propagation

This worm uses Microsoft Outlook to send itself to all the email addresses found the Outlook Address Book.

The following is a sample of the message which is constructed by the virus:

KaZaa Propagation
The worm copies itself to the KaZaa download directory as:

  • Hunter.exe
  • Hotmailhack.exe
  • ICQ hack.exe
  • Kernel hack.exe
  • Linux Password Hack.exe
  • Mail Hack.exe 
  • Matrix.exe

If MIRC is installed, script.ini is overwritten. This script is detected as MIRC/Generic. 

The IRC client is used to send the virus to all users who join channels that the infected user is on.

Symptoms

Presence of the files, registry entries and win.ini entry detailed above

Method of Infection

  • The worm spreads by mailing itself to recipients listed in the Outlook address book, using Outlook to construct outgoing messages.
  • The worm can spread via Kazaa network shares.
  • IRC channels.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

United States - English