W32/Alcra-F

Aliases	Email-Worm.Win32.VB.an W32.Spybot.Worm TROJ_MULDROP.CV
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary


How it spreads	Network shares
Affected operating systems	Windows
Characteristics	Drops more malware Installs itself in the registry
Protection available since	28 March 2006 14:26:39 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

W32/Alcra-F is a worm for the windows platform.

W32/Alcra-F uses file sharing applications to spread.

W32/Alcra-F typically arrives with the filename Setup.exe. W32/Alcra-F is a worm for the windows platform.

W32/Alcra-F uses file sharing applications to spread.

W32/Alcra-F typically arrives with the filename Setup.exe.

When first run W32/Alcra-F displays a dialog box with the text "Setup", "Welcome to the Setup Wizard ...".

The dialog then gives a fake error message, before closing.

W32/Alcra-F creates the folder <Program Files>\winsupdater and copies itself to this folder as

a.temp
winsupdater.exe

winsupdater.exe has the hidden file attribute and similarly the
<Program Files>\winsupdater\ folder is a hidden folder.

W32/Alcra-F creates the following files:

<root folder>\at.exe
<Program Files>\winsupdater\a.zip

Where the a.zip file contains a copy of the Setup.exe.
The file at.exe is detected as W32/Rbot-CVY.

When first run, W32/Alcra-F creates the following registry entry to ensure that it is run when an infected system starts:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
winsupdater
<Program Files>\winsupdater\winsupdater.exe /auto

Get reports about the latest virus and spyware threats delivered to your computer