W32/Alcaul-E   Aliases: W32.Alcarys@mm

Discussion in 'malware problems & news' started by FanJ, Feb 20, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Name: W32/Alcaul-E
    Aliases: W32.Alcarys@mm
    Type: Win32 worm
    Date: 20 February 2002

    At the time of writing Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers.

    Description:

    W32/Alcaul-E is a complex worm which can overwrite COM and SCR files. It also replaces HTML files with code that will execute a copy of the worm which it creates in C:\Windows\system\inet.exe.
    Infected HTML files are detected by this identity as
    W32/Alcaul-E.

    If Outlook is installed the worm will attempt to email itself to all contacts from the Outlook Address book. The email will have the following characteristics:

    Subject: sounds of sex and other stuffs
    Message body: ....Hear me and my girlfriend moan... We spent
    .....
    Attachments: SexSound.exe, wwwEcstasyRUscom, syra.scr and readme.txt.

    The first three attachments are copies of the worm and opening any of them will cause the worm to activate. Readme.txt is a text file.

    The worm may spread using IRC if the service is installed on the computer. The script.ini file created by the worm is detected as mIRC/Simp-Fam.

    W32/Alcaul-E also has the ability to infect Word documents by embedding an infected object in them. Affected Word documents will have had their original contents removed. When an infected document is opened, macro code within the document copies the
    file to normal.doc in the Windows directory and creates a file called winword.reg in the Windows Startup directory. It also creates a batch file called winword.bat in the same directory, which runs winword.reg when Windows next restarts. The REG file will attempt to modify the Word security settings in the registry.

    Finally, the worm will overwrite all TXT, WRI and PDF files with itself and use the Office Assistant to display the message

    "Whew!! Wassup,doc? You have so many document files in your hard drive.. Better remove some..?".

    Word files which have been affected by the worm will be detected by this identity as WM97/Alcaul-E.


    Read the analysis at
    http://www.sophos.com/virusinfo/analyses/w32alcaule.html
     
Thread Status:
Not open for further replies.