Aliases: W32/Pahatia-A, Worm.VB.al, W32/Hatipat.B, TR/Agent.AAL
Variants: W32.Pahatia.B

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 30 May 2006
Damage: Low

Characteristics: On May 30, 2006, a worm that infected computers by copying itself to local folders and mapped network drives was discovered. The name of this worm is W32.Pahatia.A. This kind of worm mainly affects Windows systems such as Windows 2000, 95, 98, ME, NT, Server 2003 and XP.

More details about W32.Pahatia.A

W32.Pahatia.A produces copies of itself through different files such as system.exe, Temp.exe, My Documents.exe and many others. Using Data [COMPUTER NAME].exe, the worm also creates a copy of itself to folders and drives from D through Z. Then, it looks for subfolder of %UserProfile%\My Documents to copy again itself but as [FOLDER NAME].exe. The creation of copies does not end there. The worm continues to copy itself as C:\Documents and Settings\All Users\Start Menu\Programs\Startup\system startup.pif after creating a C:\Patah Hati.txt as an infection marker. And to complete its propagation, the worm adds values to some system registry subkeys as well as modifies values stored in the system registry.

The W32.Pahatia.A software enters a computer stealthily through security exploits. Systems that are not patched with the latest updates for vulnerabilities are usually infected with this software. The W32.Pahatia.A application waits for an Internet connection to be available. It then accesses a remote file server to be able to download malware on the user’s machine. Malware programs that are downloaded by this application are stealthily installed on the user’s computer. The computer becomes more vulnerable with the additional components. Some of the malware added on the system may transmit the user’s PII (Personally Identifiable Information) to third parties.