P2P Worm Alcan

Discussion in 'news, general information and FAQs' started by Pieter_Arntz, May 14, 2005.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Showing in a HijackThis log as

    O4 - HKLM\..\Run: [MsConfigs] C:\Program Files\MsConfigs\MsConfigs.exe
    identified by KAV as
    P2P-Worm.Win32.Alcan.a

    Usually seen in the company of:
    O4 - HKLM\..\Run: [p2pnetwork] p2pnetwork.exe
    O4 - HKLM\..\RunServices: [p2pnetwork] p2pnetwork.exe
    O4 - HKCU\..\Run: [p2pnetwork] p2pnetwork.exe
    O4 - HKCU\..\RunServices: [p2pnetwork] p2pnetwork.exe
    identified as:
    Backdoor.Win32.Rbot.pd

    Users can complain about regedit not working and being unable to kill tasks. This is caused by the extra files that are dropped in the System(32) directory

    Check the code box below if the paths to the files fit for the version of the Windows OS.


    Big thanks to Kevin McAleavey (BOClean)
     
    Last edited: May 14, 2005
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    A removal script is available for this variant and a few newer ones.

    These can be recognized in a HijackThis log by the following lines:

    O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
    O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto

    O4 - HKLM\..\Run: [MsUpdate] C:\Program Files\MsUpdate\MsUpdate.exe /auto
    O4 - HKLM\..\Run: [ms-update] scvhost.exe
    O4 - HKLM\..\RunServices: [ms-update] scvhost.exe

    O4 - HKLM\..\Run: [winsupdater] C:\Program Files\winsupdater\winsupdater.exe /auto

    Download and unzip BFUzip from http://computercops.biz/zx/Merijn/bfu.zip
    Run the program and click the Web button as shown here:
    [​IMG]

    Use this URL to copy into the address bar of the Download script window:
    http://metallica.geekstogo.com/p2pnetwork.bfu

    Execute the script by clicking the Execute button.

    If you have any questions about the use of BFU please read here:
    http://metallica.geekstogo.com/BFUinstructions.html
     
    Last edited: Sep 25, 2005
Thread Status:
Not open for further replies.