Home / malware

PDF

Win32.Almanahe.D

First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Almanahe.D is also known as Almanahe.

Explanation :

Win32.Almanahe.D is a polymorphic file infector that affects PE executable files. The worm has 3 components: a prepending code at the start of the file, a dll library file and sys driver file at the end of the file.

The prepending code decrypts the code of the other two components, drops the "linkinfo.dll" file in the %windir% directory, calls one of its exports to start the infection and continues execution of the original PE file.

The "linkinfo.dll" file intercepts calls to the clean "linkinfo.dll" file located in the %system% directory and calls the requested functions from the original dll. It the injects in the "explorer.exe" process and starts several threads to infect PE files with ".exe" or ".tmp" extension on local drives and network shares.

The worm drops two sys files with driver functionality: "%system%driversIsDrv122.sys", which is loaded in the memory as a driver and "%system%driverscdralw.sys" which is registered as a system service. These two files are the rootkit component of the virus, having the role to hide the other components of the Win32.Almanahe.D.

The virus infects PE files with ".exe" or ".tmp" extensions from local drives and network shares.

It avoids infecting files located in directories that contain the following strings:

LOCAL SETTINGSTEMP
WINDOWS
WINNT
QQ

and with the following names:

"zhengtu.exe"
"audition.exe"
"kartrider.exe"
"nmservice.exe"
"ca.exe"
"nmcosrv.exe"
"nsstarter.exe"
"maplestory.exe"
"neuz.exe"
"zfs.exe"
"gc.exe"
"mts.exe"
"hs.exe"
"mhclient-connect.exe"
"dragonraja.exe"
"nbt-dragonraja2006.exe"
"wb-service.exe"
"game.exe"
"xlqy2.exe"
"sealspeed.exe"
"asktao.exe"
"dbfsupdate.exe"
"autoupdate.exe"
"dk2.exe"
"main.exe"
"userpic.exe"
"zuonline.exe"
"config.exe"
"mjonline.exe"
"patcher.exe"
"meteor.exe"
"cabalmain.exe"
"cabalmain9x.exe"
"cabal.exe"
"au_unins_web.exe"
"xy2.exe"
"flyff.exe"
"xy2player.exe"
"trojankiller.exe"
"patchupdate.exe"
"ztconfig.exe"
"woool.exe"
"wooolcfg.exe"
"wow.exe"
"repair.exe"
"launcher.exe"

It tries to install itself as a network service and copy itself as "c:setup.exe" on network computers, which are accessed with the Administrator account and the following weak passwords:

"[blank]
"admin"
"1"
"111"
"123"
"aaa"
"12345"
"123456789"
"654321"
"!@#$"
"asdf"
"asdfgh"
"!@#$%"
"!@#$%^"
"!@#$%^&"
"!@#$%^&*"
"!@#$%^&*("
"!@#$%^&*()"
"qwer"
"admin123"
"love"
"test123"
"owner"
"mypass123"
"root"
"letmein"
"qwerty"
"abc123"
"password"
"monkey"
"password1"

It also terminates processes with the following names and deletes the associated files:

"sxs.exe"
"lying.exe"
"logo1_.exe"
"logo_1.exe"
"fuckjacks.exe"
"spoclsv.exe"
"nvscv32.exe"
"svch0st.exe"
"c0nime.exe"
"iexpl0re.exe"
"ssopure.exe"
"upxdnd.exe"
"wdfmgr32.exe"
"spo0lsv.exe"
"ncscv32.exe"
"iexplore.exe"
"iexpl0re.exe"
"ctmontv.exe"
"explorer.exe"
"internat.exe"
"lsass.exe"
"smss.exe"
"svhost32.exe"
"rundl132.exe"
"msvce32.exe"
"rpcs.exe"
"sysbmw.exe"
"tempicon.exe"
"sysload3.exe"
"run1132.exe"
"msdccrt.exe"
"wsvbs.exe"
"cmdbcs.exe"
"realschd.exe"

but not those located in directories like:

program files
system
com
winnt
windows

The virus also has de ability to send data and download additional files from the url:
[hide]s.rm510.com:53

Last update 21 November 2011

 

TOP