McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

W32/Pahati.worm

This page shows details and results of our analysis on the malware W32/Pahati.worm

Threat Detail

Malware Type: Virus

Malware Sub-type: Worm

Discovery Date: 2007-08-16

Next Steps:

Overview

  • Detection was added to cover protection against a worm originally called "word32.exe" , having a filesize of 32.768 bytes.


Minimum DAT

5100 (2007-08-17)

Updated DAT

5101 (2007-08-20)

 Minimum Engine

5.1.00

File Length

32.768

 Description Added

2007-08-16

Description Modified

2007-08-16

Malware Proliferation

Characteristics

Detection was added to cover protection against a worm originally called "word32.exe" , having a filesize of 32.768 bytes.

The file is not internally compressed with a packer.

The file is made using the msvb60 development tool.

It has a deceiving icon pretending to be a word file, insteaf of a 32 bit PE binary file that it is.

Upon execution, it runs silently, no gui messages appear on the screen.

It copies itself to:

  • c:\Program Files\Microsoft Office\winword.exe (filesize 32.768 bytes) , the file attributes are set to hidden & system.
  • c:\Program Files\Microsoft Office\word32.exe (filesize 32.768 bytes) , the file attributes are set to hidden & system.

Note that the regular location for the regular winword.exe (8 Mb) is c:\Program Files\Microsoft Office\Office\winword.exe

It also copies itself to another location and creates a registry entry so that it gets launched upon system start:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "(Default)"
    Data: C:\System Volume Information\WORD32.EXE

The worm spreads by trying to copy itself to local & mapped drives.

It may copy itself using different names such as:

  • Patah Hati.doc .exe
  • File1.List(j).doc .exe
  • File2.List(j).doc .exe
  • Hati yangLuka.doc .exe

 

 

 

Symptoms

Presence of  the files, all having a filesize of 32.768 bytes :

  • word32.exe  
  • winword.exe
  • Patah Hati.doc .exe
  • File1.List(j).doc .exe
  • File2.List(j).doc .exe
  • Hati yangLuka.doc .exe

 

Presence of the registry entry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "(Default)" , with Data: C:\System Volume Information\WORD32.EXE

Method of Infection

  • The worm spreads by trying to copy itself to local & mapped drives.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

Variants

United States - English