Home / malware Virus:W32/Alman.A
First posted on 20 April 2007.
Source: SecurityHomeAliases :
Virus:W32/Alman.A is also known as W32.Almanahe.B, Virus.Win32.Alman.a, W32/Almanahe.A, PE_CORELINK.A.
Explanation :
This network propagating virus infects all executable files in the system. It also has rootkit capabilities.
- [Windows Directory]linkinfo.dll - infector component
- [Windows System Directory]driversDKIS6.sys - rootkit component
- [Windows System Directory]driversRioDrvs.sys - rootkit component
The following launch point is added by registering the dropped file as a service:
- HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRioDrvs
It has the following information:
- DisplayName = "RioDrvs Usb Driver"
- ImagePath = "system32DriversRioDrvs.sys"
The file linkinfo.dll is injected into explorer.exe and is hidden by the rootkit components.
The following mutexes are created by the malware:
- __DL5EX__
- __DL_CORE_MUTEX__
- ACPI#PNP0D0D#1#Amd_DL5
This polymorphic virus infects all .EXE files in the affected system. It appends its code to the target file and sets this as an additional code section. It searches for files to infect in all fixed, shared, and removable drives.
It skips infecting files located in the following directories:
- Local SettingsTemp
- Windows
- WinNT
It also skips infecting files matching the following names:
- ´ó»°Î÷ÓÎ.exe
- asktao.exe
- au_unins_web.exe
- audition.exe
- autoupdate.exe
- ca.exe
- cabal.exe
- cabalmain.exe
- cabalmain9x.exe
- config.exe
- dbfsupdate.exe
- dk2.exe
- dragonraja.exe
- flyff.exe
- game.exe
- gc.exe
- hs.exe
- kartrider.exe
- main.exe
- maplestory.exe
- meteor.exe
- mhclient-connect.exe
- mjonline.exe
- mts.exe
- nbt-dragonraja2006.exe
- neuz.exe
- nmcosrv.exe
- nmservice.exe
- nsstarter.exe
- patcher.exe
- patchupdate.exe
- sealspeed.exe
- trojankiller.exe
- userpic.exe
- wb-service.exe
- woool.exe
- wooolcfg.exe
- xlqy2.exe
- xy2.exe
- xy2player.exe
- zfs.exe
- zhengtu.exe
- ztconfig.exe
- zuonline.exe
This virus terminates processes with names that match the following strings:
- c0nime.exe
- cmdbcs.exe
- ctmontv.exe
- explorer.exe
- fuckjacks.exe
- iexpl0re.exe
- iexplore.exe
- internat.exe
- logo_1.exe
- logo1_.exe
- lsass.exe
- lying.exe
- msdccrt.exe
- msvce32.exe
- ncscv32.exe
- nvscv32.exe
- realschd.exe
- rpcs.exe
- run1132.exe
- rundl132.exe
- smss.exe
- spo0lsv.exe
- spoclsv.exe
- ssopure.exe
- svch0st.exe
- svhost32.exe
- sxs.exe
- sysbmw.exe
- sysload3.exe
- tempicon.exe
- upxdnd.exe
- wdfmgr32.exe
- wsvbs.exe
However, the path of the files associated with the above mentioned processes should not contain the following strings:
- com
- program files
- system
- windows
- winnt
Once the process is terminated, the corresponding file is also deleted.
The virus accesses network shares using the Administrator account name and one of the following passwords:
- !@#$
- !@#$%
- !@#$%^
- !@#$%^&
- !@#$%^&*
- !@#$%^&*(
- !@#$%^&*()
- 1
- 111
- 123
- 1234
- 12345
- 123456
- 654321
- admin
- asdf
- asdfgh
- qaz
- qazwsx
- qwer
- zxcv
Once connected, it drops a copy of itself as C$Ins.exe.
The dropped file is executed as a service with the service name DLAN.
This virus will attempt to connect to the following site to update itself or send data regarding the infected system:
- http://tj.imrw0rldwide.com/[REMOVED].asp
Last update 20 April 2007