1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP W32 Alcra Activity

HTTP W32 Alcra Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects W32.Alcra communication activity over HTTP which could result in the download of updates to W32.Alcra.

Additional Information

When W32.Alcra.F is executed, it performs the following actions:

1. Attempts to disable several programs by creating the following empty files with the hidden and system attributes set:

* %System%\cmd.com
* %System%\netstat.com
* %System%\ping.com
* %System%\regedit.com
* %System%\taskkill.com
* %System%\tasklist.com
* %System%\tracert.com

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

2. Modifies attributes of the %System% folder.

3. Copies itself as %ProgramFiles%\outlook\outlook.exe.

Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

4. Adds the value:

"outlook" = "%ProgramFiles%\outlook\outlook.exe /auto"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.

5. Displays the following message:

Title: Setup
Body: Setup detected a corruption setup will now terminate.

6. Executes %ProgramFiles%\outlook\outlook.exe. Once outlook.exe is executed, it copies itself as %ProgramFiles%\outlook\v.tmp
and drops the following files:

* %System%\bszip.dll - a legitimate DLL file used to archive itself
* %ProgramFiles%\outlook\p.zip - an archived copy of the worm, which is 202,477 bytes in length

7. Drops a variant of the W32.Spybot.Worm as one of the following files and executes it:

* %SystemDrive%\onces.exe
* %System%\winlog.exe

8. Attempts to connect to one of the following Web pages in order to verify that the computer is connected to the Internet:

* [http://]www.download.com/html/dl/all-titles/9000-[RANDOM LETTER]-2.html
* [http://]www.mininova.org
* [http://]www.torrentz.com/-[STRING]

Note: [STRING] is one of the following words:
* anime
* music
* movies
* tv
* software
* games
* other

9. Creates the folder %UserProfile%\Complete with the hidden and system attributes set, if the LimeWire application is installed on the compromised computer. It adds the folder to the DIRECTORIES_TO_SEARCH_FOR_FILES property in the LimeWire configuration file.

Affected

  • Windows

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan and delete all the files detected.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube