Threat description



Alcarys is an e-mail worm written in Visual Basic. The worm's executable file is compressed by UPX file compressor. The worm was first discovered in February 2002.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details


The worm puts a shortcut on the desktop with the 'free XXX Passwords.lnk' name and points the link to 'c:\xxxpasswords.doc' file. Also the worm creates another shortcut on the desktop with the name 'mailme.url' and when this shortcut is clicked, an e-mail client opens a new messages to '' which is the worm's author e-mail address.

The worm attempts to download and run the 'update.exe' file from an account at free web hosting service. To do this the worm creates the 'c:\v.vbs' file with appropriate commands and starts it.

The worm creates 'c:\dnserror1.html' file that has the text 'Hello... Click here to start...'. The 'here' word is a link to 'c:\windows\system\inet.exe' file that is one of worm's copies. This file has author's credits: '--by'.

The worm will create copies of itself in a system with the following names:

	c:\windows\system\inet.exe 	c:\windows\ 	c:\syra.scr 	c:\windows\system\tmp.tmp 	c:\SexSound.exe 	c:\windows\opme.co_ 	c:\ 	a:\moans.exe 	c:\ 	f:\pussy.scr

The worm creates 'c:\readme.txt' file with the following text:

	A Collection Of Haiku 	------------------ 	Dried marijuana... 	And my grandfather's old pipe... 	Tears in my red eyes... 	------------------ 	Condoms in the bag... 	A lustful stare from your eyes... 	In the girl's rest room... 	------------------

The worm looks for windows with the following text and attempts to close them:

	PC-cillin 2000 : Virus Alert 	JavaScan 	DAPDownloadManager 	Real-time Scan 	Pop3trap 	AVP Monitor 	IOMON98 	NAI_VS_STAT

The worm creates and imports 'c:\v.reg' file to modify Microsoft Word security settings, to create the startup key for its files in the Registry:

	[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\*inet] 	[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce\*cmd] 	[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\*autorun]

Also the worm changes Windows registration information to:

	RegisteredOwner = '' 	ProductName = 'syra, the worm'

If mIRC client is found on an infected system the worm creates 'script.ini' file in 'c:\mirc\' folder. This script file contains commands that will send the 'c:\windows\opme.co_' file to all people joining and leaving an infected channel. Together with itself the worm will send one of the following text messages:

Hello.. Do you wanna be an operator of this channel? Here's a software from mIRCx.. First, you'll have to convert it to a .com file then run it and become a channel operator instantly...
Be a channel operator using this software from mIRCx... First, you'll have to convert it to a .com file then run it and become a channel operator instantly...

To spread itself the worm opens Outlook Address Book and sends itself to all e-mail addresses it can find there. Infected messages look like this:

	Subject:	sounds of sex and other stuffs" 	Body:		....Hear me and my girlfriend moan...We spent yesterday's night having sex... 			I've also included a list of haiku, a cool talking screensaver and a link to a site 			offering cheap ecstasy pills.. enjoy.. 	Attachment:	sexsounds.wav
(which is 'sexsound.exe' file) 			haiku for you
(which is 'readme.txt' file)
(which is '' file) 			the cool talking screensaver
(which is 'syra.scr' file).

After spreading the worm will create the 'c:\alcopaul.html' file with the text 'Infected by Syra' and show a messagebox:

	w32.hllp.syra.b by alcopaul 	you've been hit by, you've been struck by the smooth criminal, AW!

The worm has a dangerous payload. It overwrites all HTM and HTML files in can find on a system with the contents of 'c:\dnserror1.html' file (see above). Also the worm overwrites all COM and SCR files (except COMMAND.COM and WIN.COM) with its copy. Also the worm creates 'satellite' files for every WAV and MP3 file it can find on an infected system. The worm copies itself with the name of a found MP3 or WAV file and adds EXE extension. Also the worm tries to overwrite the following files:

	avpm.exe 	_avpm.exe 	avp32.exe 	_avp32.exe 	vshwin32.exe

F-Secure Anti-Virus detects this worm with the updates published on 25th of February, 2002.


This variant is not in the wild. F-Secure is currently analysing this worm variant.

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info