Threat Description

Alcarys

Details

Aliases: Alcarys, I-Worm.Alcaul, W32/Alcarys@mm, W32.Alcarys@mm, Alcaul
Category: Malware
Type:
Platform: W32

Summary



Alcarys is an e-mail worm written in Visual Basic. The worm's executable file is compressed by UPX file compressor. The worm was first discovered in February 2002.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details




Variant:Alcarys.A

The worm puts a shortcut on the desktop with the 'free XXX Passwords.lnk' name and points the link to 'c:\xxxpasswords.doc' file. Also the worm creates another shortcut on the desktop with the name 'mailme.url' and when this shortcut is clicked, an e-mail client opens a new messages to 'alcopaul@cannabismail.com' which is the worm's author e-mail address.

The worm attempts to download and run the 'update.exe' file from an account at www.tripod.com free web hosting service. To do this the worm creates the 'c:\v.vbs' file with appropriate commands and starts it.

The worm creates 'c:\dnserror1.html' file that has the text 'Hello... Click here to start...'. The 'here' word is a link to 'c:\windows\system\inet.exe' file that is one of worm's copies. This file has author's credits: '--by alcopaul.ph--'.

The worm will create copies of itself in a system with the following names:

	c:\windows\system\inet.exe
	c:\windows\cmd.com
	c:\syra.scr
	c:\windows\system\tmp.tmp
	c:\SexSound.exe
	c:\windows\opme.co_
	c:\autorun.com
	a:\moans.exe
	c:\www.EcstasyRUs.com
	f:\pussy.scr

The worm creates 'c:\readme.txt' file with the following text:

	A Collection Of Haiku
	------------------
	Dried marijuana...
	And my grandfather's old pipe...
	Tears in my red eyes...
	------------------
	Condoms in the bag...
	A lustful stare from your eyes...
	In the girl's rest room...
	------------------

The worm looks for windows with the following text and attempts to close them:

	PC-cillin 2000 : Virus Alert
	JavaScan
	DAPDownloadManager
	Real-time Scan
	Pop3trap
	AVP Monitor
	IOMON98
	NAI_VS_STAT

The worm creates and imports 'c:\v.reg' file to modify Microsoft Word security settings, to create the startup key for its files in the Registry:

	[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\*inet]
	[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce\*cmd]
	[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\*autorun]

Also the worm changes Windows registration information to:

	RegisteredOwner = 'alcopaul.ph'
	ProductName = 'syra, the worm'

If mIRC client is found on an infected system the worm creates 'script.ini' file in 'c:\mirc\' folder. This script file contains commands that will send the 'c:\windows\opme.co_' file to all people joining and leaving an infected channel. Together with itself the worm will send one of the following text messages:

Hello.. Do you wanna be an operator of this channel? Here's a software from mIRCx..
First, you'll have to convert it to a .com file then run it and become a channel operator instantly... 
Be a channel operator using this software from mIRCx...
First, you'll have to convert it to a .com file then run it and become a channel operator instantly... 

To spread itself the worm opens Outlook Address Book and sends itself to all e-mail addresses it can find there. Infected messages look like this:

	Subject:	sounds of sex and other stuffs"
	Body:		....Hear me and my girlfriend moan...We spent yesterday's night having sex...
			I've also included a list of haiku, a cool talking screensaver and a link to a site
			offering cheap ecstasy pills.. enjoy..
	Attachment:	sexsounds.wav  (which is 'sexsound.exe' file)
			haiku for you  (which is 'readme.txt' file)
			http://www.EcstasyRUs.com  (which is 'www.EcstasyRUs.com' file)
			the cool talking screensaver  (which is 'syra.scr' file). 

After spreading the worm will create the 'c:\alcopaul.html' file with the text 'Infected by Syra' and show a messagebox:

	w32.hllp.syra.b by alcopaul
	you've been hit by, you've been struck by the smooth criminal, AW!

The worm has a dangerous payload. It overwrites all HTM and HTML files in can find on a system with the contents of 'c:\dnserror1.html' file (see above). Also the worm overwrites all COM and SCR files (except COMMAND.COM and WIN.COM) with its copy. Also the worm creates 'satellite' files for every WAV and MP3 file it can find on an infected system. The worm copies itself with the name of a found MP3 or WAV file and adds EXE extension. Also the worm tries to overwrite the following files:

	avpm.exe
	_avpm.exe
	avp32.exe
	_avp32.exe
	vshwin32.exe

F-Secure Anti-Virus detects this worm with the updates published on 25th of February, 2002.


Variant:Alcarys.B

This variant is not in the wild. F-Secure is currently analysing this worm variant.





Description Created: Analysis: Alexey Podrezov; F-Secure Corp.; February 25th, 2002


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More