Alcarys is an e-mail worm written in Visual Basic. The worm's executable file is compressed by UPX file compressor. The worm was first discovered in February 2002.
Disinfection & Removal
The worm puts a shortcut on the desktop with the 'free XXX Passwords.lnk' name and points the link to 'c:\xxxpasswords.doc' file. Also the worm creates another shortcut on the desktop with the name 'mailme.url' and when this shortcut is clicked, an e-mail client opens a new messages to 'firstname.lastname@example.org' which is the worm's author e-mail address.
The worm attempts to download and run the 'update.exe' file from an account at www.tripod.com free web hosting service. To do this the worm creates the 'c:\v.vbs' file with appropriate commands and starts it.
The worm creates 'c:\dnserror1.html' file that has the text 'Hello... Click here to start...'. The 'here' word is a link to 'c:\windows\system\inet.exe' file that is one of worm's copies. This file has author's credits: '--by alcopaul.ph--'.
The worm will create copies of itself in a system with the following names:
c:\windows\system\inet.exe c:\windows\cmd.com c:\syra.scr c:\windows\system\tmp.tmp c:\SexSound.exe c:\windows\opme.co_ c:\autorun.com a:\moans.exe c:\www.EcstasyRUs.com f:\pussy.scr
The worm creates 'c:\readme.txt' file with the following text:
A Collection Of Haiku ------------------ Dried marijuana... And my grandfather's old pipe... Tears in my red eyes... ------------------ Condoms in the bag... A lustful stare from your eyes... In the girl's rest room... ------------------
The worm looks for windows with the following text and attempts to close them:
PC-cillin 2000 : Virus Alert JavaScan DAPDownloadManager Real-time Scan Pop3trap AVP Monitor IOMON98 NAI_VS_STAT
The worm creates and imports 'c:\v.reg' file to modify Microsoft Word security settings, to create the startup key for its files in the Registry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\*inet] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce\*cmd] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\*autorun]
Also the worm changes Windows registration information to:
RegisteredOwner = 'alcopaul.ph' ProductName = 'syra, the worm'
If mIRC client is found on an infected system the worm creates 'script.ini' file in 'c:\mirc\' folder. This script file contains commands that will send the 'c:\windows\opme.co_' file to all people joining and leaving an infected channel. Together with itself the worm will send one of the following text messages:
Hello.. Do you wanna be an operator of this channel? Here's a software from mIRCx.. First, you'll have to convert it to a .com file then run it and become a channel operator instantly... Be a channel operator using this software from mIRCx... First, you'll have to convert it to a .com file then run it and become a channel operator instantly...
To spread itself the worm opens Outlook Address Book and sends itself to all e-mail addresses it can find there. Infected messages look like this:
Subject: sounds of sex and other stuffs" Body: ....Hear me and my girlfriend moan...We spent yesterday's night having sex... I've also included a list of haiku, a cool talking screensaver and a link to a site offering cheap ecstasy pills.. enjoy.. Attachment: sexsounds.wav (which is 'sexsound.exe' file) haiku for you (which is 'readme.txt' file) http://www.EcstasyRUs.com (which is 'www.EcstasyRUs.com' file) the cool talking screensaver (which is 'syra.scr' file).
After spreading the worm will create the 'c:\alcopaul.html' file with the text 'Infected by Syra' and show a messagebox:
w32.hllp.syra.b by alcopaul you've been hit by, you've been struck by the smooth criminal, AW!
The worm has a dangerous payload. It overwrites all HTM and HTML files in can find on a system with the contents of 'c:\dnserror1.html' file (see above). Also the worm overwrites all COM and SCR files (except COMMAND.COM and WIN.COM) with its copy. Also the worm creates 'satellite' files for every WAV and MP3 file it can find on an infected system. The worm copies itself with the name of a found MP3 or WAV file and adds EXE extension. Also the worm tries to overwrite the following files:
avpm.exe _avpm.exe avp32.exe _avp32.exe vshwin32.exe
F-Secure Anti-Virus detects this worm with the updates published on 25th of February, 2002.
This variant is not in the wild. F-Secure is currently analysing this worm variant.
Description Created: Analysis: Alexey Podrezov; F-Secure Corp.; February 25th, 2002