McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Alcaul.n (AVP)

• W32.Alcarys.B@mm (NAV)

• W32.Alcarys@mm (NAV)

• W32/Alcarys.b@MM

• W32/Alcarys@MM

• W32/Syra.B (Panda)

• Win32.Alcaul.AA (CA)

• WORM_SEXSOUND.B (Trend)

Characteristics

-- Update 2/26/2002 --
A new variant of this threat was submitted to several anti-virus vendors by the virus author. This variant is not in the wild and is considered a low risk. It is detected as W32/Alcop.gen@MM with the 4187 DATs and will be detected as W32/Alcarys.b@MM with the 4189 DATs.

This is a multifaceted worm. It contains many components and uses different methods to carry out its payloads. This virus was sent to many anti-virus vendors by the virus author. It is not in the wild.

It arrives in an email message containing the following information:

Subject: sounds of sex and other stuffs
Body: Hear me and my girlfriend moan...We spent yesterday's night having sex... I've also included a list of haiku, a cool talking screensaver and a link to a site offering cheap ecstasy pills.. enjoy..

Attachments: sexsounds.wav (SexSound.exe)
and haiku for you (readme.txt)
and http://www.EcstasyRUs.com (www.EcstasyRUs.com)
and the cool talking screensaver (syra.scr)

The bold filenames are what is displayed in an Outlook email client, while the filenames in (parentheses) are the actually filenames used by the virus.

Except for the haiku text file, the attachments are all identical copies of the same worm with a different filename. The haiku text file reads as follows:

A Collection of Haiku
------------------
Dried marijuana...
And my grandfather's old pipe...
Tears in my red eyes...
------------------
Condoms in the bag...
A lustful stare from your eyes...
In the girl's rest room...
------------------

When any of the other attachments are run, this worm infects the local system by performing the following functions:

• The worm copies itself to the following locations:
  • a:\moans.exe
  • c:\autorun.com
  • c:\SexSound.exe
  • c:\syra.scr
  • c:\windows\cmd.com
  • c:\windows\opme.co_
  • c:\windows\system\inet.exe
  • c:\windows\system\tmp.tmp
  • c:\www.EcstasyRUs.com
  • f:\pussy.scr
• 3 registry run keys are created to load the worm at startup:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Runonce\*cmd=c:\windows\cmd.com
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run\*autorun=c:\autorun.cmd
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    RunServices\*inet=c:\windows\system\inet.exe
• The worms sends itself to all users found in the Microsoft Outtlook address book using MAPI messaging.
• The Windows version is set to syra, the worm and the Windows register owner name is set to alcopaul.ph
• All .HTM and .HTML files are overwritten with the text:
  Hello... Click here to start...
  The word here links to the local copy of the worm.
• C:\alcopaul.htm is created, which contains the text: Infected by Syra
• C:\v.vbs is created, which contains instructions to automatically choose to run downloaded files using Internet Explorer
• C:\win.acs is created, which contains Microsoft Word macro code that creates the file WINWORD.BAT in the START UP group. This bat file creates C:\WINDOWS\WINWORD.REG, which lowers the security settings of Microsoft Word, and opens the infectious C:\WINDOWS\NORMAL.DOC which is created by the virus. It also contains instructions to save a copy of the viral DOC using the name of existing .TXT, .WRI, and .PDF files (ie readme.txt.doc).
• C:\xxxpassword.doc is created which contain the viral macro code
• Two shortcuts are created on the Desktop: free XXX Passwords.lnk and mailme.url
• The mIRC Script.ini file is overwritten with instructions to send the worm to all IRC users when joining the channel of the infected user. The file sent is OPME.CO_ and those users are instructed to rename the file with a .COM extension and run it.
• The virus saves a copy of itself using the existing filename of .MP3 and .WAV files, adding .EXE to the end. (ie. MUSIC.WAV.EXE).
• .COM, .EXE, and .SCR files are overwritten with the virus code.
• The worm attempts to download and run another component: http://members.tripod.com/curly----/HTMLobj-64/update.exe

Symptoms

- Presence of the following files:

• c:\autorun.com
• c:\SexSound.exe
• c:\syra.scr
• c:\windows\cmd.com
• c:\windows\opme.co_
• c:\windows\system\inet.exe
• c:\www.EcstasyRUs.com

- After the infection occurs a message box appears.

- When an infected .DOC file is opened an assistant message appears.

Method of Infection

This worm arrives as an email attachment or via Internet Relay Chat. Once run on the local system documents and applications are overwritten. Such files cannot be repaired. They must be deleted and restored from backup.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Alcaul.n (AVP)

• W32.Alcarys.B@mm (NAV)

• W32.Alcarys@mm (NAV)

• W32/Alcarys.b@MM

• W32/Alcarys@MM

• W32/Syra.B (Panda)

• Win32.Alcaul.AA (CA)

• WORM_SEXSOUND.B (Trend)

Characteristics

Characteristics -

-- Update 2/26/2002 --
A new variant of this threat was submitted to several anti-virus vendors by the virus author. This variant is not in the wild and is considered a low risk. It is detected as W32/Alcop.gen@MM with the 4187 DATs and will be detected as W32/Alcarys.b@MM with the 4189 DATs.

This is a multifaceted worm. It contains many components and uses different methods to carry out its payloads. This virus was sent to many anti-virus vendors by the virus author. It is not in the wild.

It arrives in an email message containing the following information:

Subject: sounds of sex and other stuffs
Body: Hear me and my girlfriend moan...We spent yesterday's night having sex... I've also included a list of haiku, a cool talking screensaver and a link to a site offering cheap ecstasy pills.. enjoy..

Attachments: sexsounds.wav (SexSound.exe)
and haiku for you (readme.txt)
and http://www.EcstasyRUs.com (www.EcstasyRUs.com)
and the cool talking screensaver (syra.scr)

The bold filenames are what is displayed in an Outlook email client, while the filenames in (parentheses) are the actually filenames used by the virus.

Except for the haiku text file, the attachments are all identical copies of the same worm with a different filename. The haiku text file reads as follows:

A Collection of Haiku
------------------
Dried marijuana...
And my grandfather's old pipe...
Tears in my red eyes...
------------------
Condoms in the bag...
A lustful stare from your eyes...
In the girl's rest room...
------------------

When any of the other attachments are run, this worm infects the local system by performing the following functions:

• The worm copies itself to the following locations:
  • a:\moans.exe
  • c:\autorun.com
  • c:\SexSound.exe
  • c:\syra.scr
  • c:\windows\cmd.com
  • c:\windows\opme.co_
  • c:\windows\system\inet.exe
  • c:\windows\system\tmp.tmp
  • c:\www.EcstasyRUs.com
  • f:\pussy.scr
• 3 registry run keys are created to load the worm at startup:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Runonce\*cmd=c:\windows\cmd.com
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run\*autorun=c:\autorun.cmd
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    RunServices\*inet=c:\windows\system\inet.exe
• The worms sends itself to all users found in the Microsoft Outtlook address book using MAPI messaging.
• The Windows version is set to syra, the worm and the Windows register owner name is set to alcopaul.ph
• All .HTM and .HTML files are overwritten with the text:
  Hello... Click here to start...
  The word here links to the local copy of the worm.
• C:\alcopaul.htm is created, which contains the text: Infected by Syra
• C:\v.vbs is created, which contains instructions to automatically choose to run downloaded files using Internet Explorer
• C:\win.acs is created, which contains Microsoft Word macro code that creates the file WINWORD.BAT in the START UP group. This bat file creates C:\WINDOWS\WINWORD.REG, which lowers the security settings of Microsoft Word, and opens the infectious C:\WINDOWS\NORMAL.DOC which is created by the virus. It also contains instructions to save a copy of the viral DOC using the name of existing .TXT, .WRI, and .PDF files (ie readme.txt.doc).
• C:\xxxpassword.doc is created which contain the viral macro code
• Two shortcuts are created on the Desktop: free XXX Passwords.lnk and mailme.url
• The mIRC Script.ini file is overwritten with instructions to send the worm to all IRC users when joining the channel of the infected user. The file sent is OPME.CO_ and those users are instructed to rename the file with a .COM extension and run it.
• The virus saves a copy of itself using the existing filename of .MP3 and .WAV files, adding .EXE to the end. (ie. MUSIC.WAV.EXE).
• .COM, .EXE, and .SCR files are overwritten with the virus code.
• The worm attempts to download and run another component: http://members.tripod.com/curly----/HTMLobj-64/update.exe

Symptoms

Symptoms -

- Presence of the following files:

• c:\autorun.com
• c:\SexSound.exe
• c:\syra.scr
• c:\windows\cmd.com
• c:\windows\opme.co_
• c:\windows\system\inet.exe
• c:\www.EcstasyRUs.com

- After the infection occurs a message box appears.

- When an infected .DOC file is opened an assistant message appears.

Method of Infection

Method of Infection -

This worm arrives as an email attachment or via Internet Relay Chat. Once run on the local system documents and applications are overwritten. Such files cannot be repaired. They must be deleted and restored from backup.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A