Alanchum.UG
Threat LevelDamageDistribution

Effects 

Alanchum.UG carries out the following actions:

• It has rootkit functionalities, which allow it to hide files, processes and Windows Registry entries.
• It sends spam massively. In order to do so, it harvests email addresses stored in the affected computer and hosts them in a certain website.
• This way, it adds new email addresses to which send spam whenever a computer is affected by Alanchum.UG.

Infection strategy 

Alanchum.UG creates the following files in the Windows system directory:

• ADIRKA.EXE, which is a copy of the Trojan, and TASKDIR.EXE, which is a copy of ADIRKA.EXE hidden by the rootkit.
• ADIRKA.DLL. This file belongs to the rootkit Alanchum.JF.
• DD.EXE, which contains data about the configuration of the Trojan, and DD[1].EXE, in the temporary directory of Internet Explorer.
• SM.EXE, which acts as a mail server and SM[1].EXE, in the temporary directory of Internet Explorer.
• ZLBW.DLL, which is a DLL used by Alanchum.UG in order to compress and decompress files.

Alanchum.UG creates the following entry in the Windows Registry:

• HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
  taskdir = %sysdir%\adirka.exe
  where %sysdir% is the Windows system directory.
  By creating this entry, Alanchum.UG ensures that it is run whenever Windows is started.

Means of transmission 

Alanchum.UG reaches the computer downloaded by other malware, such as Adware/CWS.

Further Details  

Alanchum.UG is 58,518 bytes in size and it is compressed with PEncrypt v3.1f.