W32/Alcra-B

Please read the instructions for removing W32/Alcra-B.

W32/Alcra-B is a worm for the Windows platform.

W32/Alcra-B spreads via file sharing on P2P networks.

W32/Alcra-B includes functionality to download, install and run new malware executables. W32/Alcra-B is a worm for the Windows platform.

W32/Alcra-B spreads via file sharing on P2P networks.

W32/Alcra-B includes functionality to download, install and run new malware executables.

W32/Alcra-B typically arrives with the filename Setup.exe.

When first run W32/Alcra-B displays a dialog box with the text "Setup", "Welcome to the Setup Wizard ...". W32/Alcra-B creates the folder <Program Files>\winupdates\, copies itself to this folder as winupdates.exe and creates the following files:

<Program Files>\winupdates\a.zip
<System>\cmd.com
<System>\bszip.dll
<System>\netstat.com
<System>\ping.com
<System>\regedit.com
<System>\taskkill.com
<System>\tasklist.com
<System>\tracert.com

All files and folders will have the hidden and system attributes set, including the Windows system folder.

a.zip is a zip archive containing a copy of W32/Alcra-B named Setup.exe.

Bszip.dll is a clean file compression utility.

The new files created in the Windows system folder by W32/Alcra-B with a COM extension are simply 'MZ' stubs (2-byte files simply containing "MZ"), designed to disable the standard Windows applications: cmd, netstat, ping, regedit, taskkill, tasklist and tracert. Executables files with a COM extension have precedence over files with the same filename, but an extension of EXE, therefore if a user runs "cmd", "netstat", "ping", "regedit", "taskkill", "tasklist" or "tracert", the new file with a COM extension will be executed rather than the legitimate executable with an extension of EXE.

The following registry entry is created to run winupdates.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
winupdates
<Program Files>\winupdates\winupdates.exe /auto