Immediate Protection Info
| Signature | Product | Removal Instructions |
|---|
23.69.44
| eTrust Antivirus v7/8* (InoculateIT Engine)
| |
11.x/9175
| eTrust Antivirus v7/8* (Vet Engine)
| |
6.1x/6314
| eTrust EZ Antivirus 6.1x
| |
6.2x/9175
| eTrust EZ Antivirus 6.2x
| |
6.3x/9175
| eTrust EZ Antivirus 6.3x
| |
6.4x/9175
| eTrust EZ Antivirus 6.4x
| |
7.x/9175
| eTrust EZ Antivirus 7.x
| |
10.6x/9175
| Vet Anti-Virus 10.6x
| |
Description
Win32.Alcan.C is a worm that spreads via peer-to-peer file sharing networks and drops a variant of Win32.Rbot and downloads a variant of Win32.WinAd onto an affected machine. It has been distributed as a 444,928-byte, PE-Spin packed Win32 executable.
Back to top
Method of Infection
When executed, Win32.Alcan.C copies itself to %Program Files%\winupdate\winupdate.exe and also creates a copy of itself in c:\z.tmp.
The worm then modifies the registry to execute itself at each Windows start:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winupdate = "\winupdate\winupdate.exe /auto"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winupdate = "\winupdate\winupdate.exe /auto"
In order to mask its presence, during this process, Alcan displays a fake install and error dialog:
The worm also creates the clean file %System%\bszip.dll which is used for ZIP compression.
Notes:
Note: '%System%' is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
%Program Files% is a variable location. The malware determines the location of the current Program Files folder by querying the operating system. A typical location for this folder would be C:\Program Files
Back to top
Method of Distribution
Via P2P File Sharing
The worm searches the local system for directories containing any of the following:
shared
res\My Shared Folder
eMule\Incoming
Kazaa\My Shared Folder
My Shared Folder
morpheus\My Shared Folder
grokster\my grokster
earshare\Shared
Limewire\Shared
donkey2000\Incoming
gnucleus\downloads
shareaza\downloads
rapigator\share
In order to collect filenames to copy itself to, the worm downloads a series of pages from the newcracks.net web site, and saves lists of filenames published there to c:\x.txt, or c:\z.txt. Using the file bszip.dll, the worm then creates a copy of itself in ZIP format as c:\temp.zip. It then proceeds to copy itself in zip form using the harvested filenames to directories matching the above criteria. The file inside the zip is called 'setup.exe'.
Back to top
Payload
Modifies System Settings
The worm creates the following files with the attributes Hidden and System:
%System%\cmd.com
%System%\netstat.com
%System%\ping.com
%System%\regedit.com
%System%\taskkill.com
%System%\tasklist.com
%System%\tracert.com
When running a program without providing the extension, Windows first attempts to add .COM to the end of the name, before looking for the equivalent file name with .EXE. This means that if the full file name is not used, one of the above programs may be run instead of the correct program.
For example, typing 'regedit' will execute Alcan's 'regedit.com', whereas typing 'regedit.exe' will execute the real Regedit program.
Since most shortcuts launch programs using the full file name, this will usually only have an effect when executing a program from the command prompt, or "Run..." from the start menu.
Alcan also locks %System%\taskmgr.exe so that it cannot be executed, thus inhibiting its removal from the affected machine.
Installs Additional Malware
Alcan.C drops a copy of Win32.Rbot.CQR to c:\xz.exe. Please see elsewhere in our encyclopedia for more information on Win32.Rbot.CQR.
It also downloads a copy of Win32.WinAd.T from the members.chello.nl domain to a.tmp and b.tmp in the root directory (usually C:\ ). For more information on the Win32.WinAd family of trojans, please see elsewhere in our encyclopedia.
Analysis by Matthew McCormack
Back to top