W32/Alcop-B

Please follow the instructions for removing worms.

W32/Alcop-B is a worm for the Windows platform.

The W32/Alcop-B executable file has an icon commonly associated with Microsoft Word documents. When run, the worm copies itself to the Windows folder as Lsass.exe. This new instance is then started and runs continously in the background.

As the worms' executable name matches that of a critical system process used by Windows XP/2000, the Windows Task Manager program will not allow the user to end the Lsass.exe process.

W32/Alcop-B examines the computers A: drive every 6 seconds for files with a .doc extension. Any documents found are deleted and a copy of the virus is placed on the disk with a filename matching that of the deleted document.

W32/Alcop-B may set one of the following registry entries to start automatically:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Lsass = C:\Windows\Lsass.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Winlogon = C:\Windows\Lsass.exe

W32/Alcop-B also records the cumulative duration (in seconds) that the worm has executed in the following file:

C:\Windows\System32\GeDzaC.mlh

Should the count reach 7000 seconds, the worm creates the following HTML file and opens it with the default browser:

C:\MLHR_Corporation_GeDzAc.htm

W32/Alcop-B then tries to recursively overwrite every file on C:\ with the following text:

"Virus MlourdesHReloaded II ha atakdo esta computadora
Virus 100% Mexicano, no es muy peligroso que digamos
Pero tu has sido el rival mas debil Adios!
Saludos a Ana Paty de Sinaloa y a Gedzac Labs
Espero y se hallan pasado una feliz Navidad y un prospero ano nuevo
Feliz 2004 para todos
Para mayor informacion enviar un e-mail a xxxx@xxxxx.com
donde hablamos de computacion en tu idioma
*-Dime solo esta vez, que has pensado... solo esta vez-*"