News on Alcan, Mywife.E

In Bill Gates' keynote at RSA in February, one of the subjects he spoke on was the ability for Microsoft to have a comprehensive view of the evolving threat landscape using the information and feedback from such tools as Hotmail, Watson, the Windows Malicious Software Removal Tool, and Windows Defender.

Each month, the Malicious Software Removal Tool runs on approximately 250 million computers, mainly via Windows Update and Automatic Updates. In February's release of the tool, we added the ability to detect and remove a worm called Win32/Alcan. We believed that Alcan would be moderately prevalent based on data from Windows Live Safety Center and Windows Live OneCare but we were genuinely surprised once we sifted through the data from the February release. During the course of that month, the tool detected Alcan (and, specifically, Alcan.B) on just over 250 thousand unique machines, easily the top detection for the month. Compare this to the Win32/Mywife.E worm (aka CME-24), which we removed from approximately 40 thousand computers in February.

Alcan.B does not exploit any software vulnerabilities. Instead, it spreads through popular peer to peer applications and its prevalence is likely due to effective social engineering. Specifically, when sharing copies of itself over a P2P network, to name the copies, it contacts several websites to look for the names of recent, popular program cracks. Thus, the worm's name is always relatively up-to-date and attractive to those surfing these networks for cracks. Also, when the worm is run, instead of displaying nothing or popping up 50 browser windows, it displays what appears to be a setup wizard window, as displayed in our write-up. When the user clicks next, an error message is displayed. Thus, the user is fooled into thinking that what he or she just ran was a buggy or incomplete program, not a worm.

Threats like this reinforce the idea that malware that exploits user weakness can be as dangerous as those threats which exploit software vulnerabilities and reinforces the value of up-to-date antivirus products as well as general user vigilance.

Matt