Aliases: I-Worm.Alcaul.n, W32.Alcarys@mm, W32/Alcarys@MM, W32/Syra.B
Variants: WORM_SEXSOUND.B, Win32.Alcaul.AA, W32/Alcarys.a@MM

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North America, South America, Europe
Removal: Hard
Platform: W32
Discovered: 14 Feb 2002
Damage: Medium

Characteristics: One of the most destructive payloads delivered by this particular malware is that it hunts down system files and tools. The result is the W32.Alcarys.B@mm worm corrupting these files by placing the machine in an endless loop until it runs out of resources and freezes or enters a Blue Screen of Death.

More details about W32.Alcarys.B@mm

One of the indications of infections from the W32.Alcarys.B@mm program is the presence of the files Win.exe and Clickme.exe in the Desktop folder of the Windows directory. Other folders like Sendto\ Oceans11 and Favorites\ A Beautiful Mind are created by this malware under the Windows directory. The W32.Alcarys.B@mm malware likewise represents itself as the Regedit.exe, Scanregw.exe, Tuneup.exe, Rundll64.exe, and Windows.exe files in the Windows directory. The Disney.scr and File1980.com among others are also placed in the root directory of the main hard drive. Aside from the Windows Address Book contents, the W32.Alcarys.B@mm program also replaces all screensaver files in the infected machine. Files with the extension HTM and HTML are also being targeted by this malware.

Moreover, a file named Blank.html is dropped in the root directory and allows the W32.Alcarys.B@mm program to connect voluntarily to a home page designated by the malicious author. It then downloads more dangerous codes into the already infected computer system to further compromise its security. The downloaded file targets all Word and Excel created files which are then used as attachments to spread the malicious codes. The W32.Alcarys.B@mm program proceeds by creating a series of scripts, batch files, text files, and registry files all with the intention of instituting and spreading its payload. The worm also modifies the contents of the Script.ini file giving it access to mIRC functionality and uses it to further spread the infection. An email message with a spiked attachment is also sent to all mIRC contacts of the computer user.