Home / malware Virus:W32/Alman.B
First posted on 11 June 2007.
Source: SecurityHomeAliases :
Virus:W32/Alman.B is also known as Virus.Win32.Alman.b.
Explanation :
This network propagating virus infects all executable files in the system. It also has rootkit capabilities.
- %WinDir%linkinfo.dll
- %WinSysDir%driversIsDrv118.sys
The DLL is the main virus component. The SYS file is a rootkit component that hides certain files and Registry keys.
The dropped DLL file is injected into Windows Explorer process and runs with system priviledges.
To spread in a network the virus tries to connect to the IPC$ share with login 'Administrator' and performs a dictionary attack on admin password using these values:
- admin
- 1
- 111
- 123
- aaa
- 12345
- 123456789
- 654321
- !@#$
- asdf
- asdfgh
- !@#$%
- !@#$%^
- !@#$%^&
- !@#$%^&*
- !@#$%^&*(
- !@#$%^&*()
- qwer
- admin123
- love
- test123
- owner
- mypass123
- root
- letmein
- qwerty
- abc123
- password
- monkey
- password1
If connection is successful, the virus copies itself as 'Setup.exe' file to the root of a system drive and starts the copied file as a service.
The virus infects EXE files that are not protected by Windows System File Check on local, removable and remote drives. The virus does not infect file with those names:
- zhengtu.exe
- audition.exe
- kartrider.exe
- nmservice.exe
- ca.exe
- nmcosrv.exe
- nsstarter.exe
- maplestory.exe
- neuz.exe
- zfs.exe
- gc.exe
- mts.exe
- hs.exe
- mhclient-connect.exe
- dragonraja.exe
- nbt-dragonraja2006.exe
- wb-service.exe
- game.exe
- xlqy2.exe
- sealspeed.exe
- asktao.exe
- dbfsupdate.exe
- autoupdate.exe
- dk2.exe
- main.exe
- userpic.exe
- zuonline.exe
- config.exe
- mjonline.exe
- patcher.exe
- meteor.exe
- cabalmain.exe
- cabalmain9x.exe
- cabal.exe
- au_unins_web.exe
- xy2.exe
- flyff.exe
- xy2player.exe
- trojankiller.exe
- patchupdate.exe
- ztconfig.exe
- woool.exe
- wooolcfg.exe
The virus also doesn't infect files located in the following folders:
- LOCAL SETTINGSTEMP
- WINNT
- WINDOWS
The virus terminates the following processes:
- sxs.exe
- lying.exe
- logo1_.exe
- logo_1.exe
- fuckjacks.exe
- spoclsv.exe
- nvscv32.exe
- svch0st.exe
- c0nime.exe
- iexpl0re.exe
- ssopure.exe
- upxdnd.exe
- wdfmgr32.exe
- spo0lsv.exe
- ncscv32.exe
- iexplore.exe
- iexpl0re.exe
- ctmontv.exe
- explorer.exe
- internat.exe
- lsass.exe
- smss.exe
- svhost32.exe
- rundl132.exe
- msvce32.exe
- rpcs.exe
- sysbmw.exe
- tempicon.exe
- sysload3.exe
- run1132.exe
- msdccrt.exe
- wsvbs.exe
- cmdbcs.exe
- realschd.exe
If the files that belong to terminated processes located in specific folders, they are deleted.
Last update 11 June 2007