All3gro sometimes also called Allgro or Atirus, is a nematode. It attempts to thwart the worms Sircam, Badtrans and Prettypark.

Behavior

All3gro arrives in an email with a subject line of "New antivirus tool" and an attachment named "Antivirus.exe". The message body is "Hey, checkout this new antivirus tool which checks your system for viruses".

When All3gro is executed, it copies itself to the system folder as Setup30.exe. It adds this file as the registry value "Kernel Setup" to the local machine run key, ensuring it starts every time Windows does. The worm looks for email addresses stored on the system and uses Messaging Application Processing Interface (MAPI) commands to send emails with copies of itself.

All3gro searches for Sircam, Badtrans and Prettypark and tries to remove them. It also searches for and removes all .vbs, Mirc.ini and Script.ini files.

Effects

All3gro never became widespread. In spite of the fact that it actually did delete some files associated with certain worms, its claims to being antivirus software were dismissed as simply a social engineering tactic.

Sources

Peter Szor. Symantec, W32.Allgro@mm. 2007.02.13

John Leyden. The Register, Virus poses as antivirus utility. 2001.08.21