Win32/Alcan is a worm that spreads via peer-to-peer networking applications. It may prevent system utilities from working and/or infect the PC with other malware.
Win32/Alcan has the file icon of an installation application and displays a window that appears to be an installation wizard. Regardless of what you choose on this wizard, Win32/Alcan installs itself and is running, even when the window is no longer visible. If you press the "Next" button, it will display a fake error message, such as "Setup cannot continue on windows NT based systems , Click ok to end Setup". Here is an example screenshot of the setup wizard:
Win32/Alcan creates a hidden folder for itself under the "Program Files" folder and copies itself there. It will set a registry key to make itself run on startup out of this folder. This hidden folder will have a name like "winupdates" or "msconfigs".
It will share itself out via P2P networks using filenames it gathered from various websites.
When run, it attempts to disable a number of system tools by creating files matching their filename but with a ".com" extension instead of a ".exe" extension. When run from the Run window or a command prompt without explicitly specifying the extension, Windows will report the error "The NTVDM CPU has encountered an illegal instruction". The tools affected by this are: cmd, netstat, ping, regedit, taskkill, tasklist, and tracert. Additionally, taskmgr is opened and locked by Win32/Alcan so that it may not be run. Attempts to run it will cause Windows to give the error "Another program is currently using this file".
Some versions of Win32/Alcan will install other malicious software, such as Win32/Rbot, onto your computer.