Ads

W32.Alcra.A PDF Print E-mail
Thursday, 19 May 2005
W32.Alcra.A is a worm that spreads through file-sharing networks, such as Kazaa, Ares, eMule, Morpheus, Grokster, Bearshare, Limewire eDonkey2000, Gnucleus, Shareaza, and Rapigator. The worm also drops a W32.Spybot.Worm variant into the compromised computer.

Also Known As: W32.Alcan.A, P2P-Worm.Win32.Alcan.a [Kaspersky Lab], W32/Alcan.worm!p2p [McAfee]

Type: Worm
Infection Length: 423,693 bytes

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When W32.Alcra.A is executed, it performs the following actions:


Creates the following files:


%System% egedit.com
%System% askmgr.exe
%System% asklist.com
%System% askkill.com
%System% etstat.com
%System% racert.com
%System%ping.com
%System%cmd.com

Notes:
The files have attributes set to hidden and system, and are all two bytes in length.
%System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).


Copies itself as the following:


%ProgramFiles%MSConfigsMSConfigs.exe
%System%t.exe
%System%z.tmp

Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:Program Files.


Creates a zip copy of itself as %System% emp.zip that contains the file setup.exe.


Creates a harmless file called %System%szip.dll.


Creates the file %System%p2pnetwork.exe and runs it. It is a variant of W32.Spybot.Worm.

Notes:
The file attributes are set to system, hidden, and read_only.
The dropped W32.Spybot.Worm variant opens a back door that allows a remote attacker to have unauthorized access to the compromised computer.


Adds the value:

"MsConfigs" = "MsConfigs.exe"

to the registry subkey:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

so that the worm runs every time Windows starts.


Adds the value:

"p2pnetwork" = "p2pnetwork.exe"

to the registry subkeys:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
RunServices
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle
HKEY_LOCAL_MACHINESystemCurrentControlSetLsa
HKEY_CURRENT_USERSOFTWAREMicrosoftOle
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersion
RunServices
HKEY_CURRENT_USERSystemCurrentControlSetLsa

so that the treat runs every time Windows starts.


Searches for folders whose name contains one of the following:


shared
AresMy Shared Folder
eMuleIncoming
KazaaMy Shared Folder
My Shared Folder
morpheusMy Shared Folder
grokstermy grokster
BearshareShared
LimewireShared
Edonkey2000Incoming
gnucleusdownloads
shareazadownloads
apigatorshare

May copy itself as one of the following to any folders found:

winis.exe
win32exe.exe
wini.exe
winlogins.exe
muamgr.exe
================================
To delete the value from the registry
Click Start > Run.
Type regedit

Then click OK.

Note: If the registry editor fails to open the risk may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.


Navigate to the subkey:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun


In the right pane, delete the value:

"MsConfigs" = "MsConfigs.exe"


Navigate to the subkeys:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
RunServices
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle
HKEY_LOCAL_MACHINESystemCurrentControlSetLsa
HKEY_CURRENT_USERSOFTWAREMicrosoftOle
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersion
RunServices
HKEY_CURRENT_USERSystemCurrentControlSetLsa


In the right pane, delete the value:

"p2pnetwork" = "p2pnetwork.exe"

Exit the Registry Editor.
 
< Prev   Next >
[ Back ]