Technical Details
Payload
Removal instructions

Technical Details

This worm spreads via the Internet as an attachment to infected messages. Infected messages will be sent to all email addresses harvested from the victim machine.

The worm itself is a Windows PE EXE file. It is 50,582 bytes in size. The file is packed using UPX.

Installation

Once launched, the worm copies itself to the Windows system directory as "alsys.exe":

%System%\alsys.exe

The worm creates a file with a random name and an .exe extension in the current directory, and then launches it.

It then creates the following entries in the system registry:

This ensures that the worm will be launched each time Windows is booted on the victim machine.

The worm also creates the following files in the Windows system directory:

%System%\wincom32.ini
%System%\wincom32.sys

The worm also changes the following system registry entry in order to block “Windows Firewall/Internet Connection Sharing (ICS)”:

[HKLM\System\CurrentControlSet\Services\SharedAccess]

"Start" = "4"

Propagation via e-mail

Infected messages will be sent to all email addresses harvested from the victim machine. The worm harvests addresses from all hard disk partitions starting with the last one.

In order to send messages the worm attempts to establish a direct connection to the recipient's SMTP server.
The worm does not send emails to addresses which contain the following strings:

microsoft
.gov
.mil

Infected messages:

Sender’s name (chosen at random from the list below):

• Anita
• April
• Ara
• Aretina
• Amorita
• Alysia
• Aldora
• Barbra
• Becky
• Bella
• Briana
• Bridget
• Blenda
• Bettina
• Caitlin
• Chelsea
• Clarissa
• Carmen
• Carla
• Cara
• Camille
• Damita
• Daria
• Danielle
• Diana
• Doris
• Dora
• Donna
• Ebony
• Eden
• Eliza
• Erika
• Eve
• Evelyn
• Emily
• Faith
• Gale
• Gilda
• Gloria
• Haley
• Holly
• Helga
• Ivory
• Ivana
• Iris
• Isabel
• Idona
• Ida
• Julie
• Juliet
• Joanna
• Jewel
• Janet
• Katrina
• Kacey
• Kali
• Kyle
• Kassia
• Kara
• Lara
• Laura
• Lynn
• Lolita
• Lisa
• Linda
• Myra
• Mimi
• Melody
• Mary
• Maia
• Nadia
• Nova
• Nina
• Nora
• Natalie
• Naomi
• Nicole
• Olga
• Olivia
• Pamela
• Peggy
• Queen
• Rachel
• Rae
• Rita
• Ruby
• Rosa
• Silver
• Sharon
• Uma
• Ula
• Valda
• Vanessa
• Valora
• Violet
• Vivian
• Vicky
• Wendy
• Willa
• Xandra
• Xylia
• Xenia
• Zilya
• Zoe
• Zenia

Message subject (chosen at random from the list below):

• Magic of Flowers
• Sending You My Love
• Together You and I
• Window of Beauty
• Doing It for You
• Evening Romance
• Wrapped Up
• Most Beautiful Girl
• Touched by Love
• If I Knew
• Heart of Mine
• Til the End of Time
• With This Ring
• Tender Whispers
• Soul Partners
• With All of My Heart
• I Always Knew
• Awaiting Your Love
• Want to Meet?
• So in Love
• This Feeling
• Red Rose
• Until the Day
• My Invitation
• Worthy of You
• You're the One
• So in Love
• You and I Forever
• Words I Write
• The Candle's Light
• True Love
• My Perfect Love
• Waiting for You
• This Day Forward
• Without Your Love
• Now and Forever
• Thanks...Love
• Just You
• A Sweet Love
• Search for One
• A Song to You
• If I Could
• Hand in Hand
• I Win with You
• Wine and Roses
• Back Together
• I Give to You
• That Special Love
• Our Love
• Old Together
• Cyber Love
• Against All Odds
• Hey Cutie
• Our Wedding Day
• My Eye on You
• Unique Love
• Full Heart
• Forever in Love
• To New Spouse
• For Better of For Worse
• All For You
• When I'm With You
• Everyone Needs Someone
• Heart is Breaking
• With All My Love
• Cuddle Up
• Safe and Sound
• Made for Each Other Brand New Love
• Someone at Last
• You and I
• Hold On
• All That Matters
• Our Two Hearts
• You Asked Me Why
• Wish Upon a Star
• For You
• Brand New Love
• You're so Far Away
• Together Again
• I wish
• The Long Haul
• Love You Deeply
• In Love
• It's Your Move
• Love Birds
• Safe With You
• Sending Kiss
• You + Me
• I Would Do Anything
• Vacation Love
• The Kiss
• Hand in Hand
• Now I Know
• Live With Me
• Pockets of Love
• He Blessed Our Lives
• Two of a Kind
• Soul Mates
• I Still Love You
• Dancing With You
• Forever and Ever
• Twice Blest
• Longing for You
• Thinking of You
• Twilight Paradise
• Wish I Could Tell You
• Teddy Bear & Roses
• Let's Get Frisky
• Cuddle Me Please
• Solitary Beauty
• Take My Hand
• So Unique
• P.M.S
• We Have Walked
• Fields Of Love
• I Am Lost In You
• Bewitching Moonlight
• The Letter
• Till Morning's Light
• Trunk Full Of Love
• Your Silly Smile
• Till Morninig's Light
• Just You & Me
• A Special Flower for You
• The Sweet Taste of Love
• A Red Hot Kiss
• Won't you dance with me
• A Special Kiss
• Our love is torn by miles
• Every Inch of Your Body
• My Heart belongs to you
• Steamy Dream
• Moonlit Waterfall
• My Heart is Thinking
• A Weekend Getaway
• Summer Love
• A Hug & Roses
• How Much I Love You
• Love for Granted
• Thinking about you
• Angel of Love
• You're Soo kissable
• From this day forward
• In My Heart
• Between Us
• Hold Me (distant love)
• I Would Give you Anything
• A Bouquet of Love
• I Think of You
• Wild Nights--Wild Nights
• Memories
• You are out of this world
• When I look at you
• Last Night was Hot!
• Peek-A-Boo
• You Lucky Duck!
• 5 Reasons I Love You
• I Can't Function
• Our Love Everyday
• Emptiness Inside Me
• Love is in the Air
• We're a Perfect Fit
• A Romantic Place
• I Love You Mower
• The Mood for Love
• Love at First Sight
• You Brighten My Day
• You're My Hero
• Can't Wait to See You!
• Showers Of Love
• You Were Worth the Wait
• Crazy way to say I Luv U
• Times Are Hard, I Luv U
• You Rock Me!
• Puppy Love
• You Are My Guiding Star
• We Are Different
• I Woof You
• A Monkey Rose for You
• A Kiss for You
• A Little (sex) Card
• The Love Bugs
• Kisses, Hugs & Roses
• Feeling Horny?
• A Day in Bed Coupon
• Dream Date Coupon
• Bubble Bath Coupon
• Steamy Sex Coupon
• A Relaxing Coupon
• Massage Coupon
• Dinner Coupon
• Romantic Picnic Coupon
• Breakfast in Bed Coupon
• Kiss Coupon
• Passionate Kiss
• Only You
• Internet Love
• Want You to Know
• Will You?
• I'll Be Your Man
• I Love Thee
• I Love You So
• Rose for my Love
• Baby, I'll Be There
• Unmatchable Beauty
• I Believe
• Dream Girl
• I Dream of you
• I am Complete
• Love Remains
• When I'm With You
• Our Love is Strong
• The Miracle of Love
• Inside My Heart
• Our Love Will Last
• For You....My Love
• The Mood for Love
• A Token of My Love
• Miracle of Love
• A Kiss So Gentle
• Why I Love You
• Falling In Love with You
• The Dance of Love
• Sending You My Love
• Hugging My Pillow
• Our Love Nest
• Wrapped in Your Arms
• I Love You Soo Much
• Eternity of Your Love
• Our Love is Free
• My Love
• Your Love Has Opened
• When You Fall in Love
• The Time for Love
• I Love Thee
• I Love You with All I Am
• Miracle of Love

Èìÿ ôàéëà âëîæåíèÿ.

Âûáèðàåòñÿ ïðîèçâîëüíûì îáðàçîì èç ñïèñêà:

• flash postcard.exe
• Flash Postcard.exe
• Greeting Card.exe
• greeting card.exe
• Greeting Postcard.exe
• greeting postcard.exe
• Postcard.exe
• postcard.exe

Payload

The worm attempts to terminate processes if the name of the process contains one of the strings listed below:

• alsys
• anti
• viru
• troja
• avp
• nav
• rav
• reged
• nod32
• spybot
• zonea
• vsmon
• avg
• blackice
• firewall
• msconfig
• lockdown
• f-pro
• hijack
• taskmgr
• mcafee

The worm also terminates the process connected with the window titled “Registry Editor”.

The worm uses the rootkit library %System%\wincom32.sys in order to hide its files on the hard disk and to mask entries in the system registry.

Removal instructions

Detection for this version of the worm were added to the Kaspersky Anti-Virus databases as an urgent update.

If you have Kaspersky Anti-Virus 6.0, and Proactive Protection is enabled, this worm will be detected without the need to update antivirus databases.

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Reboot the computer in Safe Mode (at the start of the boot sequence, press and hold F8, then choose Safe Mode from the Windows boot menu).
2. Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
3. Delete the following files:

   %System%\alsys.exe
   %System%\wincom32.ini
   %System%\wincom32.sys

4. Delete the following system registry entries:

   [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   "Agent" = "%System%\alsys.exe"

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Agent" = "%System%\alsys.exe"

5. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).