Link to Symantec news bulletin:
http://securityresponse.symantec.com/avcenter/venc/data/w32.alcarys.b@mm.html


Enjoy! *;D

Quote from Symantec website:
{QUOTE->
W32.Alcarys.B@mm
Discovered on: February 23, 2002
Last Updated on: February 23, 2002 at 08:07:57 PM PST

W32.Alcarys.B@mm is a massmailing worm that will send to all recipients in an affected user's address book. It will also stall the machine such that the machine will only be usable once it is started in MS-DOS mode. It will also overwrite many System files.


Type: Worm
Infection Length: 16,384 bytes

<snip>

Damage:

Payload Trigger: Execution of an infected file.
Payload:
Large scale e-mailing: Will mass-mail itself to all reciepients in the affected user's address book
Deletes files: will overwrite all ".scr" and ".com" along with overwriting "regedit.exe", regsvr32.exe" and "scanregw.exe"
Modifies files: modifies script.ini so that mIRC will send the worm.
Degrades performance: Enters an infinite loop due to the overwrite of REGEDIT.EXE so the machine will quickly run out of resource and crash.
Causes system instability: Enters an infinite loop due to the overwrite of REGEDIT.EXE so the machine will quickly run out of resource and crash.

<snip>


<-QUOTE}

Technical Description of the worm:
{QUOTE->
Technical description:

W32.Alcarys.B@mm will copy itself to the following filenames:

"C:\WINDOWS\SYSTEM\REGSVR32.EXE"
"C:\WINDOWS\Desktop\win.exe"
"C:\WINDOWS\Desktop\Top Secret\clickme.exe"
"C:\WINDOWS\SendTo\Oceans11\watchme.exe"
"C:\WINDOWS\Favorites\A Beautiful Mind\watchme.exe"
"C:\WINDOWS\regedit.exe"
"C:\WINDOWS\scanregw.exe"
"C:\WINDOWS\tuneup.exe"
"C:\WINDOWS\rundll64.exe"
"C:\WINDOWS\windows.exe"
"C:\disney.scr"
"C:\file1980.com"
"C:\hacktool.co_"
"C:\movie.exe"
"C:\msmsgs.exe"
"C:\porno.scr"
"C:\screenxx.scr"
"C:\windows.exe"
"C:\windows.scr"
"C:\winstart.com"
"C:\Program Files\CurlySoft\viewer.dll"
"C:\Program Files\CurlySoft\pornview.exe"
"C:\Program Files\XXX Files\clickme.exe"
"C:\Recycled\alco.com"

It will also overwrite all ".SCR" files on the machine with itself. It will also create a directory "C:\WINDOWS\FILES" into which it will copy itself with a filename such as "file###.###.exe" where the # signs represent any number of numbers.

The worm will also overwrite all ".HTM" and ".HTML" files with an HTML file that will simply run the worm. It will also drop an html file "C:\blank.html".

The worm will also attempt to download a file and execute that file from the virus-writer's homepage.

The worm will also overwrite all Microsoft Excel and Microsoft Word documents that it finds on the affected user's machine with files that it creates "C:\XXXMOVIE.XLS" for Excel files and "C:\WINDOWS\NEWDOCUMENT.DOC". Both of these files will send e-mail to all recipients in the affected user's address book. These e-mail messages will have the following characteristics when sent from the Excel files:
Subject:
Nice Embedded Object
Body:
Check out the embedded object in the excel sheet...
Attachment:
The attachment name will vary. Whichever file it has overwritten will be attached to the e-mail message.

and the following when sent from Word:
Subject:
Nice Embedded Object
Body:
Check out the embedded object in the word document...
Attachment:
The attachment name will vary. Whichever file it has overwritten will be attached to the e-mail message.

The source to the macro components is first copied to the files "C:\xls.wps", "C:\doc.wps", and "C:\nor.wps". It will also create the infected documents "C:\porno.doc", "C:\xxxmovie.xls", "C:\windows\newdocument.doc".

The worm also creates the files:
"C:\v.vbs", a simple script file that will wait until a file has been downloaded and then it will send a key sequence to that application.
"C:\v.reg", a registry file that will modify the registry.
"C:\acs.acs", a simple text file that contains the text "another one bites the dust"
"C:\Windows\tmpdelis.bat", a simple batch file that will copy the file, "C:\program files\curlysoft\viewer.dll" to "c:\program files\curlysoft\run.com". It will
also enter the data in "C:\v.reg" into the registry. Finally it will execute the file "C:\file1980.com"

The worm also creates the following shortcuts on the Desktop:
"New Document.lnk" a shortcut to open "C:\WINDOWS\newdocument.doc"
"Tips On How To Make Your Partner Wilder.lnk", a shorcut to open "C:\xxxmovie.xls"
"Porn Viewer version 1.01.lnk", a shortcut to open "C:\Program Files\Curlysoft\pornview.exe"
"ExecuteMe.lnk", a shortcut to open "C:\WINDOWS\rundll64.exe"
and "mailme.lnk", a shortcut to send mail to the virus writer.

The worm will also modify the following registry keys:

add value:
"Rundll64" = "c:\windows\rundll64.exe"
to the registry key:
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices"

add values:
"Windows Update" = "C:\WINDOWS\Start Menu\Programs\Windows Update\file###.###.exe"
"Regedit" = "C:\windows\regedit.exe"
to registry key:
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

set the default value to:
"c:\windows\scanregw.exe"
to registry key:
"HKEY_CLASSES_ROOT\mp3file\shell\open\command"

set the default value to:
"c:\windows\system\regsvr32.exe"
to the registry key:
"HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command"

set the default value to:
"c:\windows\tuneup.exe"
to the registry key:
"HKEY_CLASSES_ROOT\VBSFile\Shell\Open2\Command"

set the default value to:
"c:\windows\system\regsvr32.exe"
to the registry key:
"HKEY_CLASSES_ROOT\mp3file\shell\play\command"

set the default value to:
"c:\windows\scanregw.exe"
to the registry key:
"HKEY_CLASSES_ROOT\JSFile\Shell\Open\Command"

set the default value to:
"c:\windows\tuneup.exe"
to the registry key:
"HKEY_CLASSES_ROOT\JSFile\Shell\Open2\Command"

set the default value to:
"c:\recycled\alco.com"
to the registry key:
"HKEY_CLASSES_ROOT\txtfile\shell\open\command"

add the values:
"*Windows" = "c:\windows\windows.exe"
and
"MSMSGS" = "c:\msmsgs.exe"
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"

The worm will also attempt to spread using mIRC by modifying the script.ini file for mIRC.

The worm itself will also send e-mail messages to all recipients in the affected user's Address Book. These e-mail messages will have the following characteristics:
One of the following Subjects:
i've got cool stuffs here...
nice stuffs i got here...
check this out...
i want you to know how much i care for you...
hello! i'm your long, lost friend...
talk to me... tell me your name...
kindness is a virtue...

One of the following Bodies:
three files for you to keep... always remember that i'm into deep... i don't know you but i think i'm in love...
sharing files is the essence of living... check this out...
hi, friend... here are some nice stuffs that i got from the internet... check it out...
hmmmn... i guess you've forgotten me... but anyways, i wanna make up... here are the files that made me like the internet more... see for yourself...
check this out...
one of the files is a virus... can you tell me which one is it? hehehe, i'm only joking... your friend, paul..

4 attachments (1 from each of the following sets of filenames):
chinese fu_k.mpg (movie.exe) <Note: Filename has been edited so as to not post vulgarities>
amateur porn film.mpg (movie.exe)
jenna jameson clip.mpg (movie.exe)
lord of the rings clip.mpg (movie.exe)
fu_k of the month.mpg (movie.exe) <Note: Filename has been edited so as to not post vulgarities>
britney exposed.mpg (movie.exe)

and universe.scr (screenxx.scr)
solarsystem.scr (screenxx.scr)
sh_t.scr (screenxx.scr) <Note: Filename has been edited so as to not post vulgarities>
donald and minnie sex.scr (screenxx.scr)
baby dancing.scr (screenxx.scr)
kamasutra screensaver.scr (screenxx.scr)

and credit card hacktool (file1980.com)
windows xp ultimate crack (file1980.com)
http://www.meditation.com (file1980.com)
patch1981.com (file1980.com)
hack mirc server (file1980.com)

and disney.scr






Removal instructions:

Delete all files detected as W32.Alcarys.B@mm

remove the value:
"Rundll64" = "c:\windows\rundll64.exe"
from the registry key:
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices"

remove the values:
"Windows Update" = "C:\WINDOWS\Start Menu\Programs\Windows Update\file###.###.exe"
"Regedit" = "C:\windows\regedit.exe"
from the registry key:
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

restore the default value for the registry keys:
"HKEY_CLASSES_ROOT\mp3file\shell\open\command"
"HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command"
"HKEY_CLASSES_ROOT\VBSFile\Shell\Open2\Command"
"HKEY_CLASSES_ROOT\mp3file\shell\play\command"
"HKEY_CLASSES_ROOT\JSFile\Shell\Open\Command"
"HKEY_CLASSES_ROOT\JSFile\Shell\Open2\Command"
"HKEY_CLASSES_ROOT\txtfile\shell\open\command"

remove the values:
"*Windows" = "c:\windows\windows.exe"
and
"MSMSGS" = "c:\msmsgs.exe"
from the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"



<-QUOTE}

Symatec has a rating of "Medium"?

McAfee write up:
http://vil.nai.com/vil/content/v_99366.htm

"This virus was sent to many anti-virus vendors by the virus author. It is not in the wild."


Message Lab: has no listing.

F-Secure : * VARIANT: Alcarys.B
This variant is not in the wild. F-Secure is currently analysing this worm variant. [Analysis: Alexey Podrezov; F-Secure Corp.; February 25th, 2002]