W32.Alcra.D

[TJ]

W32.Alcra.D is a worm that spreads through the Limewire file-sharing network. It attempts to disable several programs and drop a W32.Spybot.Worm variant on the compromised computer.

When W32.Alcra.D is executed, it performs the following actions:

   1. Copies itself as, and executes, the following file:

          * %ProgramFiles%\MsUpdate\MsUpdate.exe

            Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

   2. Copies itself as the following file:

          * %ProgramFiles%\MsUpdate\a.tmp

   3. Attempts to disable several programs by creating the following files, and setting the hidden and system attributes:

          * %System%\cmd.com
          * %System%\ping.com
          * %System%\regedit.com
          * %System%\taskkill.com
          * %System%\tasklist.com
          * %System%\tracert.com
          * %System%\netstat.com

            Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

   4. Adds the value:

      "MsUpdate" = "%ProgramFiles%\MsUpdate\MsUpdate.exe /auto"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that it runs every time Windows starts.

   5. Displays the following message:

      Title: Windows Media Player
      Body: Windows Media Player Does Not Support This Format
      Click OK to exit.

   6. Drops the following files:

          * %SystemDrive%\xz.exe
          * %System%\bszip.dll
          * %ProgramFiles%\MsUpdate\a.zip

            Note: %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.

   7. Executes the file %SystemDrive%\xz.exe, which is a copy of the W32.Spybot.Worm variant.

   8. Attempts to connect to the Web site [http://]windowsupdate.microsoft.com/[REMOVED] in order to check that the compromised computer is connected to the Internet.

   9. May also attempt to connect the following Web page:

      [http://]us.imdb.com/List?tv=on&&genres=[STRING]&&nav=/[REMOVED]Sections/Genres/[STRING]/include-titles&&heading=10;[STRING]

      Note: The [STRING] variable in the above URL refers to the same word and can be one of the following words:

          * Adult
          * Action
          * Adventure
          * Animation
          * Comedy
          * Crime
          * Documentary
          * Drama
          * Family
          * Fantasy
          * Film-Noir
          * Horror
          * Music
          * Musical
          * Mystery
          * Romance
          * Sci-Fi
          * Short
          * Thriller
          * War
          * Western

  10. Creates a folder called %SystemDrive%\Complete with hidden attributes and adds the folder name to DIRECTORIES_TO_SEARCH_FOR_FILES property in the Limewire configuration file.

  11. If Limewire is installed on the compromised computer, the worm attempts to start it.

REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/w32.alcra.d.html


To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit
   3. Click OK.
   4. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

   5. In the right pane, delete the value:

      "MsUpdate" = "%ProgramFiles%\MsUpdate\MsUpdate.exe /auto"

   6. Exit the Registry Editor.