VB Alcan Worm

(aka Win32/Alcan.J, Win32.Worm.VB.Ymeak.A, Trojan.Dropper.Win32.VB.Lu )


[Description]

This worm is designed to spread by using various P2P file sharing applications
When it is executed it will create a copy in the startup folder for all users
with the name svchost.exe
After that it will show a message in order to fool the user that the file can't be run:
The setup file is corrupted

After you click on OK, it will launch the svchost copy and the original program
will end it's execution
The new svchost process will begin to search the Windows folder for various files
that are usually backdoors:
winlog.exe, p2pnetworking.exe, scvhost.exe, winlogi.exe and p2pnetwork.exe

If it can't find any of those files, it will drop a new UPX packed backdoor in the Windows folder
called b.exe
After that it will try to spread by searching for the following P2P file sharing programs:
BearShare, Limewire, Morpheus, Shareaza

If it find any of those it will create a subfolder in the shared folder, with the name _ (underscore)
In that folder it will create a copy in order to fool other users in downloading and infecting
their machines

In order to avoid detection and to protect itself from deletion, it will open for exclusive access
the following programs: cmd.exe, ipconfig.exe, netstat.exe, ping.exe, tracert.exe,
regedit.exe, regedt32.exe, taskkill.exe and taskmgr.exe

By doing this it will stop you from launching a registry editor or task manager for example
When you try to open one of those progams it will show a message telling that the program is
in use.


[Clean]

It is best to restart the system in safe mode in order to prevent non-critical processes to run at startup
Delete the svchost.exe file from the startup folder
(usually this is: C:\Documents and Settings\All users\Start Menu\Programs\Startup)

Delete the b.exe file that is located in the Windows folder