W32.Alicia


Aliases: Backdoor.Win32.Alicia.p, BKDR_GRAYBIRD.U, BDS/GrayBird.K.10, W32/Alicia-R, TR/Alicia.E
Variants: W32/Alicia, BackDoor-ARR, Backdoor.Trojan, Generic.Malware.SPV.CB6CA4AC, VBS.Alicia.A, VBS/Alician.A.2

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Moderate
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 14 Oct 2003
Damage: Medium

Characteristics: Another type of network aware Worm, the W32.Alicia is likewise capable of spreading and delivering its payload via unsecured network shares. This Worm is also characterized by its ability to infect or corrupt the Normal Template file of Microsoft Word.

More details about W32.Alicia

The initial indication of an infection from the W32.Alicia malware is the presence of the Alicia.exe file in the Windows directory. At the same time, the files Alicia.doc and System.vbs files are dropped into the root directory of the main hard drive. Under the Windows Registry category, the W32.Alicia malware creates the Alicia key to point to the location of the System.vbs file. The malware then renames the extension of all executable files in the Windows directory with the VUL file extension. The W32.Alicia malware then injects its codes into the original executable file. The file sys1.dr0 is created in the root directory when System.vbs is executed. This newly created file is injected into the Normal Template of Microsoft Word as a type of module and is responsible for corrupting the file.

When the Normal Template is loaded by Microsoft Word every time the application is launched by the computer user, the security keys of the application in the Windows Registry are modified. Once these security keys are edited by the W32.Alicia malware, it gains the ability of terminating various system critical processes. It then lists all available shared drives that it can find in the machine. The W32.Alicia program attempts to write the Nwvf.exe file in the root directory. This file is given a hidden attribute and is added into the startup group of the Operating System. The result is that the malware will launch every time the infected computer system is booted or restarted.