W32.Alcra.A

SUMMARY

W32.Alcra.A is a worm that spreads through file-sharing networks, such as Kazaa, Ares, eMule, Morpheus, Grokster, Bearshare, Limewire eDonkey2000, Gnucleus, Shareaza, and Rapigator. The worm also drops a W32.Spybot.Worm variant into the compromised computer.

TECHNICAL DETAILS

Renamed from W32.Alcan.A to W32.Alcra.A.

W32.Alcra.A is a worm that spreads through file-sharing networks, such as Kazaa, Ares, eMule, Morpheus, Grokster, Bearshare, Limewire eDonkey2000, Gnucleus, Shareaza, and Rapigator. The worm also drops a W32.Spybot.Worm variant into the compromised computer.

Once the worm is executed, it creates the following hidden and system files, which are all two bytes in size:
%System%\regedit.com
%System%\taskmgr.exe
%System%\tasklist.com
%System%\taskkill.com
%System%\netstat.com
%System%\tracert.com
%System%\ping.com
%System%\cmd.com

The worm then copies itself as the following:
%ProgramFiles%\MSConfigs\MSConfigs.exe
%System%\bt.exe
%System%\z.tmp

It creates a zip copy of itself as %System%\temp.zip that contains the file setup.exe.

It also creates a harmless file called %System%\bszip.dll.

Next, the worm creates the following file and runs it, which is a variant of W32.Spybot.Worm:
%System%\p2pnetwork.exe (The file attributes are set to system, hidden, and read_only.)

The dropped W32.Spybot.Worm variant opens a back door.

The worm then creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"MsConfigs" = "MsConfigs.exe"

The worm searches for folders whose name contains one of the following:
\shared
\Ares\My Shared Folder
\eMule\Incoming
\Kazaa\My Shared Folder
My Shared Folder
\morpheus\My Shared Folder
\grokster\my grokster
\Bearshare\Shared
\Limewire\Shared
\Edonkey2000\Incoming
\gnucleus\downloads
\shareaza\downloads
\rapigator\share

Then it may copy itself to a folder that it finds with the above attributes as one of the following:
winis.exe
win32exe.exe
wini.exe
winlogins.exe
muamgr.exe