W32.Alcra.A


Aliases: W32.Alcan.A, P2P-Worm.Win32.Alcan.a, Win32.Alcan.A, W32/Alcan.worm!p2p, W32/Alcra-A
Variants: WORM_ALCAN.A, W32.Alcra.F, Win32/Alcan.I, P2P-Worm.Win32.VB., W32/Generic.m

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Moderate
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 17 May 2005
Damage: Medium

Characteristics: The W32.Alcra.A is a type of network aware malware which is capable of taking advantage of unprotected network shares. This Worm is known to spread to other computer systems by taking advantage of security vulnerabilities in Peer to Peer file sharing networks.

More details about W32.Alcra.A

A computer system which experiences an infection from the W32.Alcra.A malware normally finds the presence of files which closely resemble filenames of legitimate system files. Based on previous instances of infections, the files regedit.com, taskmgr.exe, tasklist.com, taskkill.com, netstat.com, tracert.com, ping.com, and cmd.com are extracted by the W32.Alcra.A malware into the System folder of the Windows directory. The malware is also responsible for creating the MSConfigs folder in the Program Files directory. This location serves as the storage area for the MSConfigs.exe file while the files z.tmp and bt.exe are stored in the System folder. The W32.Alcra.A malware then creates an archive file named temp.zip to store its setup file and an accompanying bszip.dll which is meant to throw off the detection process.

Execution of the p2pnetwork.exe file creates a corresponding Windows Registry which allows the W32.Alcra.A malware to load on system startup. The malware then proceeds to scan the contents of the local hard drive for the presence of shared folders as well as directory locations that are associated with known file sharing networks like Kazaa, emule, Limewire, and others. When these folders are identified, the malware installs itself using the filenames winis.exe, win32exe.exe, wini.exe, winlogins.exe, or muamgr.exe among others. This threat has been reported by some computer experts to illegally terminate some security programs and system processes.