W32/Pandos

**Anilrgowda** · 22-Jan-2007, 09:53 AM

Risk Assessment - Home Users: Low - Corporate Users: Low Date Discovered: 12/19/2006 Date Added: 12/19/2006 Origin: N/A Length: Varies Type: Virus SubType: File Infector DAT Required: 4923 Virus Characteristics

Upon execution, W32/Pandos infects executable files on the host system. From current tests, the virus appears to avoid infecting files in the local %SystemRoot% or %Program Files% branches of the local directory structure (though it may place copies of itself in those folders on other systems via a network).
Infected executable files will either be increased in size by 117,284 bytes, or will be padded up to a fixed size, generally 755,712 bytes. Infected executables already larger than 755,712 bytes may be “bumped up” to another larger fixed size. The algorithm by which the virus determines these final sizes is not clear.
The infected files use a “blank shortcut” icon, showing only a small shortcut arrow graphic.

Indications of Infection

The following new files are created:

%UserProfile%\Local Settings\Temp\wowexec.tmp (93,184 bytes)
%UserProfile%\Local Settings\Temp\MediaSups.exe (size varies)
%UserProfile%\Local Settings\Temp\[random 8-character alpha].sys (5,120 bytes)
%UserProfile%\Local Settings\Temp\[random 8-character alpha](multiple copies, size varies)

The following registry keys and values pairs are created (some values may vary):

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_MEDIADRVER]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_MEDIADRVER\0000]
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"ConfigFlags"=dword:00000000
"DeviceDesc"="MicroSoft Media Services"
"Legacy"=dword:00000001
"Service"="MediaDrver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_MEDIADRVER\0000\Control]
"*NewlyCreated*"=dword:00000000
"ActiveService"="MediaDrver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\MediaDrver]
"DisplayName"="MicroSoft Media Services"
"ErrorControl"=dword:00000001
"ImagePath"="\??\C:\DOCUME~1\[username]\LOCALS~1\Temp\[random 8-char alpha].sys"
"Start"=dword:00000003
"Type"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\MediaDrver\Enum]
"0"="Root\\LEGACY_MEDIADRVER\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\MediaDrver\Security]
"Security"=[hex data]

Additionally, the presence of the following files may indicate an infected system on the network (one that is attempting to infect the local system):

%SystemRoot%\cmd.com
%SystemRoot%\net.com
%SystemRoot%\regedit.com

Method of Infection

W32/Pandos spreads via UNC shares. Upon locating a system on the network with open shares, the virus attempts to write copies of itself using the following names:

[target]\C$\Windows\cmd.com
[target]\C$\Windows\net.com
[target]\C$\Windows\regedit.com

Note that these files do not overwrite the standard *.exe versions. However, they will be executed first if the name is used from Start->Run or a command window (as .com is placed ahead of .exe in execution order for two files otherwise having the same name)

Removal Instructions

All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations

22-Jan-2007, 09:53 AM	#1 (permalink)
Anilrgowda Administrator Posts: 18,715 Join Date: Jan 2006 Rep Power: 10 IM:	W32/Pandos Risk Assessment - Home Users: Low - Corporate Users: Low Date Discovered: 12/19/2006 Date Added: 12/19/2006 Origin: N/A Length: Varies Type: Virus SubType: File Infector DAT Required: 4923 Virus Characteristics Upon execution, W32/Pandos infects executable files on the host system. From current tests, the virus appears to avoid infecting files in the local %SystemRoot% or %Program Files% branches of the local directory structure (though it may place copies of itself in those folders on other systems via a network). Infected executable files will either be increased in size by 117,284 bytes, or will be padded up to a fixed size, generally 755,712 bytes. Infected executables already larger than 755,712 bytes may be “bumped up” to another larger fixed size. The algorithm by which the virus determines these final sizes is not clear. The infected files use a “blank shortcut” icon, showing only a small shortcut arrow graphic. Indications of Infection The following new files are created: %UserProfile%\Local Settings\Temp\wowexec.tmp (93,184 bytes) %UserProfile%\Local Settings\Temp\MediaSups.exe (size varies) %UserProfile%\Local Settings\Temp\[random 8-character alpha].sys (5,120 bytes) %UserProfile%\Local Settings\Temp\[random 8-character alpha](multiple copies, size varies) The following registry keys and values pairs are created (some values may vary): [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_MEDIADRVER] "NextInstance"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_MEDIADRVER\0000] "Class"="LegacyDriver" "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}" "ConfigFlags"=dword:00000000 "DeviceDesc"="MicroSoft Media Services" "Legacy"=dword:00000001 "Service"="MediaDrver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_MEDIADRVER\0000\Control] "NewlyCreated"=dword:00000000 "ActiveService"="MediaDrver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\MediaDrver] "DisplayName"="MicroSoft Media Services" "ErrorControl"=dword:00000001 "ImagePath"="\??\C:\DOCUME~1\[username]\LOCALS~1\Temp\[random 8-char alpha].sys" "Start"=dword:00000003 "Type"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\MediaDrver\Enum] "0"="Root\\LEGACY_MEDIADRVER\\0000" "Count"=dword:00000001 "NextInstance"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\MediaDrver\Security] "Security"=[hex data] Additionally, the presence of the following files may indicate an infected system on the network (one that is attempting to infect the local system): %SystemRoot%\cmd.com %SystemRoot%\net.com %SystemRoot%\regedit.com Method of Infection W32/Pandos spreads via UNC shares. Upon locating a system on the network with open shares, the virus attempts to write copies of itself using the following names: [target]\C$\Windows\cmd.com [target]\C$\Windows\net.com [target]\C$\Windows\regedit.com Note that these files do not overwrite the standard .exe versions. However, they will be executed first if the name is used from Start->Run or a command window (as .com is placed ahead of .exe in execution order for two files otherwise having the same name) Removal Instructions* All Users: Use current engine and DAT files for detection and removal. Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher). Additional Windows ME/XP removal considerations

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)