Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Alanchum.NX

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Alanchum.NX carries out the following actions:

  • It has rootkit functionalities, which allow it to hide files, processes and Windows Registry entries.
  • It sends spam massively. In order to do so, it harvests email addresses stored in the affected computer and hosts them in a certain website.
  • This way, it adds new email addresses to which send spam whenever a computer is affected by Alanchum.NX.

Infection strategy 

Alanchum.NX creates the following files in the Windows system directory:

  • GAME0.EXE.EXE, which is a copy of the Trojan, and TASKDIR.EXE, which is a copy of GAME0.EXE hidden by the rootkit.
  • ADIR.DLL. This file belongs to the rootkit Alanchum.JF.
  • GAME4.EXE, which downloads updates of the Trojan, and CLCBT.EXE, which is a copy of GAME4.EXE hidden by the rootkit.
  • GAME1.EXE, which acts as a mail server and ADIRSS.EXE, which is a copy of GAME1.EXE hidden by the rootkit.
  • GAME2.EXE. This file harvests email addresses stored in the affected computer and then hosts them in a certain website.
  • GAME5.EXE.EXE, which drops a driver.
  • SVCP.CSV, which contains data about the configuration of the Trojan.
  • PEERS.INI, WINCOM32.SYS and ZLBW.DLL.

 

Alanchum.NX creates the following entries in the Windows Registry:

  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    taskdir = %sysdir%\taskdir.exe
    where %sysdir% is the Windows system directory.
    By creating these entries, Alanchum.NX ensures that it is run whenever Windows is started.
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    clcbt.exe = %sysdir%\clcbt.exe
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    sysinter = %sysdir%\adirss.exe
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    CTFMON.EXE = %sysdir%\ctfmon.exe
  • KEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Enum\ Root\ LEGACY_WINCOM32
  • HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ wincom32

Means of transmission 

Alanchum.NX is downloaded by the Trojan detected as Gagar.CG.

Further Details  

Alanchum.NX is 54,435 bytes in size.