Win32 Pacex provides base for other Trojans

Finn Orfano
Categories : Smb security ,Computing
Tags : Computing smb security topics network security

Page content

Description

Win32 Pacex.Gen comes under the category of Trojan that infects a computer system by using an obfuscation technique to steal important information like passwords, financial information, and other user credentials. Being a Trojan, it doesn’t replicate itself but has a different mechanism of spreading itself. Win32 Pacex.Gen acts like a base for other variants of Trojans and spreads itself through emails, peer to peer networks, IRC, blog posts, etc.

Risk Assessment

Home Users – LOW

Corporate Users – LOW

Trojan Characteristics

Filename: 3a5cfe0ea1ba4a529b8755fb9c2de106dc46c0fe.exe

Type: Trojan

Detection: Pacex.Gen

Length: 117 Kb

Common Detection Names

Microsoft - PWS:Win32/OnLineGames.DL!dll

Kaspersky - Trojan-GameThief.Win32.Magania.gnh

Sophos - Mal/EncPk-CE

Symantec - Trojan.Zlob

Eset - Win32/Pacex.Gen

Symptoms

Win32 Pacex.Gen hijacks a running process’s execution to run its own code and uses shared memory access to remain hidden from the user. It also copies certain .dll (dynamic link library) and .exe files to the windows\system32 folder and also adds or modifies entries in the system registry. The purpose of writing .dll files to the windows folder is registering the drivers for execution in windows.

How it Works

Win32 Pacex.Gen creates executables in the windows\system32 folder and registers the .dll files associated with them to create an environment necessary for its execution. It also adds some executable files in the windows\help folder so that whenever the F1 button is pressed or the help window is opened, the Trojan can execute itself.

It also copies certain executables in the windows\temp folder by the following name: 3a5cfe0ea1ba4a529b8755fb9c2de106dc46c0fe.exe and a corresponding dll is also registered for the execution of this file at startup.

In windows\help folder, this Trojan copy f3c74e3fa248.dll and f3c74e3fa248.exe files to infect the PC. Notice, both .exe and .dll files are copied together for the execution of the Trojan.

%path1%= HKEY_LOCAL_MACHINE\software\classes\clsid\{1dbd6574-d6d0-4782-94c3-69619e719765}\

Apart from copying files in the windows\system32 or windows\help folder, it adds some new entries in the system registry.

%path1% : (default) = ssuudl

%path1%\inprocserver32\ : (default) = c:\windows\help\f3c74e3fa248.dll

Removal Instructions

In order to remove Win32 Pacex.Gen Trojan, restart your computer and press the F8 key during startup before the windows screen appears.From the list of available options, choose Safe Mode. When your system is in Safe Mode, search for the 2 files, f3c74e3fa248.dll and f3c74e3fa248.exe,right click the files and delete them. Now, again restart your system and perform a full scan of your computer system using good antivirus software. I recommend using ESET NOD32 or McAfee antivirus.

Note: Before performing a scan, make sure you have disabled the System Restore option, and also performed a disk cleanup of the drive where windows had been installed.