Overview
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
|
Minimum DAT
4187 (2002-02-20) Updated DAT4813 (2006-07-24) |
Minimum Engine
5.1.00 File Length12,288 bytes |
Description Added
2002-02-19 Description Modified2002-02-26 |
Malware Proliferation
Characteristics
A new variant of this threat was submitted to several anti-virus vendors by the virus author. This variant is not in the wild and is considered a low risk. It is detected as W32/Alcop.gen@MM with the 4187 DATs and will be detected as W32/Alcarys.b@MM with the 4189 DATs.
This is a multifaceted worm. It contains many components and uses different methods to carry out its payloads. This virus was sent to many anti-virus vendors by the virus author. It is not in the wild.
It arrives in an email message containing the following information:
Subject: sounds of sex and other stuffsBody: Hear me and my girlfriend moan...We spent yesterday's night having sex... I've also included a list of haiku, a cool talking screensaver and a link to a site offering cheap ecstasy pills.. enjoy..
Attachments: sexsounds.wav (SexSound.exe)
and haiku for you (readme.txt)
and http://www.EcstasyRUs.com (www.EcstasyRUs.com)
and the cool talking screensaver (syra.scr)
Except for the haiku text file, the attachments are all identical copies of the same worm with a different filename. The haiku text file reads as follows:
A Collection of Haiku ------------------ Dried marijuana... And my grandfather's old pipe... Tears in my red eyes... ------------------ Condoms in the bag... A lustful stare from your eyes... In the girl's rest room... ------------------When any of the other attachments are run, this worm infects the local system by performing the following functions:
- The worm copies itself to the following locations:
- a:\moans.exe
- c:\autorun.com
- c:\SexSound.exe
- c:\syra.scr
- c:\windows\cmd.com
- c:\windows\opme.co_
- c:\windows\system\inet.exe
- c:\windows\system\tmp.tmp
- c:\www.EcstasyRUs.com
- f:\pussy.scr
- 3 registry run keys are created to load the worm at startup:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Runonce\*cmd=c:\windows\cmd.com - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run\*autorun=c:\autorun.cmd - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices\*inet=c:\windows\system\inet.exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
- The worms sends itself to all users found in the Microsoft Outtlook address book using MAPI messaging.
- The Windows version is set to syra, the worm and the Windows register owner name is set to alcopaul.ph
- All .HTM and .HTML files are overwritten with the text:
Hello... Click here to start...
The word here links to the local copy of the worm. - C:\alcopaul.htm is created, which contains the text: Infected by Syra
- C:\v.vbs is created, which contains instructions to automatically choose to run downloaded files using Internet Explorer
- C:\win.acs is created, which contains Microsoft Word macro code that creates the file WINWORD.BAT in the START UP group. This bat file creates C:\WINDOWS\WINWORD.REG, which lowers the security settings of Microsoft Word, and opens the infectious C:\WINDOWS\NORMAL.DOC which is created by the virus. It also contains instructions to save a copy of the viral DOC using the name of existing .TXT, .WRI, and .PDF files (ie readme.txt.doc).
- C:\xxxpassword.doc is created which contain the viral macro code
- Two shortcuts are created on the Desktop: free XXX Passwords.lnk and mailme.url
- The mIRC Script.ini file is overwritten with instructions to send the worm to all IRC users when joining the channel of the infected user. The file sent is OPME.CO_ and those users are instructed to rename the file with a .COM extension and run it.
- The virus saves a copy of itself using the existing filename of .MP3 and .WAV files, adding .EXE to the end. (ie. MUSIC.WAV.EXE).
- .COM, .EXE, and .SCR files are overwritten with the virus code.
- The worm attempts to download and run another component: http://members.tripod.com/curly----/HTMLobj-64/update.exe
Symptoms
- c:\autorun.com
- c:\SexSound.exe
- c:\syra.scr
- c:\windows\cmd.com
- c:\windows\opme.co_
- c:\windows\system\inet.exe
- c:\www.EcstasyRUs.com
Method of Infection
This worm arrives as an email attachment or via Internet Relay Chat. Once run on the local system documents and applications are overwritten. Such files cannot be repaired. They must be deleted and restored from backup.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
But in some particular cases, the following steps need to be taken.
Please go to the Microsoft Recovery Console and restore a clean MBR.
On Windows XP:
- Insert the Windows XP CD into the CD-ROM drive and restart the computer.
- When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
- Select the Windows installation that is compromised and provide the administrator password.
- Issue 'fixmbr' command to restore the Master Boot Record
- Follow onscreen instructions.
- Reset and remove the CD from CD-ROM drive.
On Windows Vista and 7:
- Insert the Windows CD into the CD-ROM drive and restart the computer.
- Click on "Repair Your Computer".
- When the System Recovery Options dialog comes up, choose the Command Prompt.
- Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
- Follow onscreen instructions.
- Reset and remove the CD from CD-ROM drive.
Variants