Here is a little something to read over a coffee. Iam open to disscussion on the subject anyone having trouble with recurring trouble should check out these files and also the programs they are using this is an example of one of them.
Discovered: February 17, 2006
Updated: February 13, 2007 12:51:25 PM
Also Known As: Win32/Alcan.I [Computer Associ, P2P-Worm.Win32.VB.dw [Kaspersk, W32/Generic.m [McAfee], W32/VB-YY [Sophos], WORM_GAOBOT.DF [Trend Micro]
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When W32.Alcra.F is executed, it performs the following actions:
Attempts to disable several programs by creating the following empty files with the hidden and system attributes set:
%System%\cmd.com
%System%\netstat.com
%System%\ping.com
%System%\regedit.com
%System%\taskkill.com
%System%\tasklist.com
%System%\tracert.com
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Modifies attributes of the %System% folder.
Copies itself as %ProgramFiles%\outlook\outlook.exe.
Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
Adds the value:
"outlook" = "%ProgramFiles%\outlook\outlook.exe /auto"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that it runs every time Windows starts.
Displays the following message:
Title: Setup
Body: Setup detected a corruption setup will now terminate.
Executes %ProgramFiles%\outlook\outlook.exe. Once outlook.exe is executed, it copies itself as %ProgramFiles%\outlook\v.tmp
and drops the following files:
%System%\bszip.dll - a legitimate DLL file used to archive itself
%ProgramFiles%\outlook\p.zip - an archived copy of the worm, which is 202,477 bytes in length
Drops a variant of the W32.Spybot.Worm as one of the following files and executes it:
%SystemDrive%\onces.exe
%System%\winlog.exe
Attempts to connect to one of the following Web pages in order to verify that the computer is connected to the Internet:
[http://]www.download.com/html/dl/all-titles/9000-[RANDOM LETTER]-2.html
[http://]www.mininova.org
[http://]www.torrentz.com/-[STRING]
Note: [STRING] is one of the following words:
anime
music
movies
tv
software
games
other
Creates the folder %UserProfile%\Complete with the hidden and system attributes set, if the LimeWire application is installed on the compromised computer. It adds the folder to the DIRECTORIES_TO_SEARCH_FOR_FILES property in the LimeWire configuration file.
So if you are using this program maybe not a new problem its rather an unresolved problem.
