Also Known As: W32.Alcan.A, Win32.Alcan.A [Computer Associates],
P2P-Worm.Win32.Alcan.a [Kaspersky Lab], W32/Alcan.worm!p2p [McAfee],
W32/Alcra-A [Sophos], WORM_ALCAN.A [Trend Micro]
[[This worm drops the legitimate file compression DLL, BSZIP.DLL in the
Windows system folder. It does this so it can compress itself. It also drops
the following files in the Windows system folder:
CMD.COM
NETSTAT.COM
PING.COM
REGEDIT.COM
TASKKILL.COM
TASKLIST.COM
TRACERT.COM
These files contain the string MZ so that this worm can disable the
following Windows tool applications:
CMD.EXE
NETSTAT.EXE
PING.EXE
REGEDIT.EXE
TASKKILL.EXE
TASKLIST.EXE
TRACERT.EXE ]]
From...
WORM_ALCAN.A - Technical details
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ALCAN.A&VSect=T
Symantec Security Response - W32.Alcra.A
http://securityresponse.symantec.com/avcenter/venc/data/w32.alcra.a.html
Do a search for the *.com files mentioned above.
I believe that these are the legitimate Windows XP *.com files.
In C:\WINDOWS\system32\ or %windir%\system32\
chcp.com (Change CodePage Utility)
command.com (MS-DOS Prompt)
diskcomp.com (Disk Comparison Utility)
diskcopy.com (Disk Copy Utility)
edit.com (MS-DOS Editor)
format.com (Disk Format Utility)
graftabl.com (Graftabl Utility)
graphics.com (graphics for compatibility with MS-DOS files)
kb16.com (16-bit keyboard mapping utility, previously known as the Keyb.com
utility)
loadfix.com (loadfix)
mode.com (DOS Device MODE Utility)
more.com (More Utility)
tree.com (Tree Walk Utility)
win.com (WIN.COM for compatibility??? WIN.COM was the executable file
used to load Microsoft Windows 3.1, 3.11, 95 and 98. I have no idea what it
does in XP.)
NTDETECT.COM (NTDETECT detects installed hardware components when XP boots.)
You may have more legitimate .com files such as WZ.COM (WinZip running DOS
program). C:\Program Files\WinZip\WZ.COM or %programfiles%\WZ.COM
COM extension, is short for Command and is an executable file like .EXE only
smaller. Supposed to be less than 64K in size.
When you run a command that does not contain an extension, Cmd.exe uses the
value of the PATHEXT environment variable to determine which extensions to
look for and in what order. The default value for the PATHEXT variable is:
..COM;.EXE;.BAT;.CMD
The Run command uses the same rule.
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In