You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard

Alanchum.NX

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Alanchum.NX carries out the following actions:

  • It has rootkit functionalities, which allow it to hide files, processes and Windows Registry entries.
  • It sends spam massively. In order to do so, it harvests email addresses stored in the affected computer and hosts them in a certain website.
  • This way, it adds new email addresses to which send spam whenever a computer is affected by Alanchum.NX.

Infection strategy 

Alanchum.NX creates the following files in the Windows system directory:

  • GAME0.EXE.EXE, which is a copy of the Trojan, and TASKDIR.EXE, which is a copy of GAME0.EXE hidden by the rootkit.
  • ADIR.DLL. This file belongs to the rootkit Alanchum.JF.
  • GAME4.EXE, which downloads updates of the Trojan, and CLCBT.EXE, which is a copy of GAME4.EXE hidden by the rootkit.
  • GAME1.EXE, which acts as a mail server and ADIRSS.EXE, which is a copy of GAME1.EXE hidden by the rootkit.
  • GAME2.EXE. This file harvests email addresses stored in the affected computer and then hosts them in a certain website.
  • GAME5.EXE.EXE, which drops a driver.
  • SVCP.CSV, which contains data about the configuration of the Trojan.
  • PEERS.INI, WINCOM32.SYS and ZLBW.DLL.

 

Alanchum.NX creates the following entries in the Windows Registry:

  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    taskdir = %sysdir%\taskdir.exe
    where %sysdir% is the Windows system directory.
    By creating these entries, Alanchum.NX ensures that it is run whenever Windows is started.
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    clcbt.exe = %sysdir%\clcbt.exe
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    sysinter = %sysdir%\adirss.exe
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    CTFMON.EXE = %sysdir%\ctfmon.exe
  • KEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Enum\ Root\ LEGACY_WINCOM32
  • HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ wincom32

Means of transmission 

Alanchum.NX is downloaded by the Trojan detected as Gagar.CG.

Further Details  

Alanchum.NX is 54,435 bytes in size.