W32/Alcra-B is a worm for the Windows platform.
W32/Alcra-B spreads via file sharing on P2P networks.
W32/Alcra-B includes functionality to download, install and run new malware executables.
W32/Alcra-B typically arrives with the filename Setup.exe.
When first run W32/Alcra-B displays a dialog box with the text "Setup", "Welcome to the Setup Wizard ...". W32/Alcra-B creates the folder <Program Files>\winupdates\, copies itself to this folder as winupdates.exe and creates the following files:
All files and folders will have the hidden and system attributes set, including the Windows system folder.
a.zip is a zip archive containing a copy of W32/Alcra-B named Setup.exe.
Bszip.dll is a clean file compression utility.
The new files created in the Windows system folder by W32/Alcra-B with a COM extension are simply 'MZ' stubs (2-byte files simply containing "MZ"), designed to disable the standard Windows applications: cmd, netstat, ping, regedit, taskkill, tasklist and tracert. Executables files with a COM extension have precedence over files with the same filename, but an extension of EXE, therefore if a user runs "cmd", "netstat", "ping", "regedit", "taskkill", "tasklist" or "tracert", the new file with a COM extension will be executed rather than the legitimate executable with an extension of EXE.
The following registry entry is created to run winupdates.exe on startup:
<Program Files>\winupdates\winupdates.exe /auto
Are you typing regedit only? Reading this you may have to manually locate regedit and double click on it.
I assume your on XP?
Or download a 3rd party tool to edit the registry here's one but I'm sure you can locate others.Registry Commander 1.04
Along the toolbar
Registry Root List
This will show all of the registry options.
Before using please backup your registry with this tool ERUNT
Edited by stidyup, 04 July 2005 - 03:26 AM.