funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Microsoft: MSRT News on Alcan, Mywife.E

From: "Fergie" <fergdawg () netzero net>
Date: Tue, 4 Apr 2006 14:38:43 GMT
Via The Microsoft Anti-Malware Engineering Team blog.

[snip]

Each month, the Malicious Software Removal Tool runs on approximately 250 million computers, mainly via Windows Update 
and Automatic Updates. In February's release of the tool, we added the ability to detect and remove a worm called 
Win32/Alcan. We believed that Alcan would be moderately prevalent based on data from Windows Live Safety Center and 
Windows Live OneCare but we were genuinely surprised once we sifted through the data from the February release. During 
the course of that month, the tool detected Alcan (and, specifically, Alcan.B) on just over 250 thousand unique 
machines, easily the top detection for the month. Compare this to the Win32/Mywife.E worm (aka CME-24), which we 
removed from approximately 40 thousand computers in February.

Alcan.B does not exploit any software vulnerabilities. Instead, it spreads through popular peer to peer applications 
and its prevalence is likely due to effective social engineering. Specifically, when sharing copies of itself over a 
P2P network, to name the copies, it contacts several websites to look for the names of recent, popular program cracks. 
Thus, the worm's name is always relatively up-to-date and attractive to those surfing these networks for cracks. Also, 
when the worm is run, instead of displaying nothing or popping up 50 browser windows, it displays what appears to be a 
setup wizard window, as displayed in our write-up. When the user clicks next, an error message is displayed. Thus, the 
user is fooled into thinking that what he or she just ran was a buggy or incomplete program, not a worm.

[snip]

http://blogs.technet.com/antimalware/archive/2006/04/03/424113.aspx

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: