Win32/Alman [Threat Name] go to Threat

Win32/Alman.NAB [Threat Variant Name]

Category virus
Detection created Jun 05, 2007
Signature database version 10425
Aliases Virus.Win32.Alman.b (Kaspersky)
  W32.Almanahe.B!inf (Symantec)
  Virus:Win32/Almanahe.B (Microsoft)
  Win32.Alman.1 (Dr.Web)
Short description

Win32/Alman.NAB is a polymorphic file infector. It uses techniques common for rootkits.

Installation

When executed, the virus creates the following files:

  • %windir%\­linkinfo.dll (53248 B, Win32/Alman.NAD)
  • %systemroot%\­drivers\­cdralw.sys  (15872 B, Win32/Alman.NAD)
  • %systemroot%\­drivers\­IsDrv122.sys  (15872 B, Win32/Alman.NAD)
  • %systemroot%\­System32\­drivers\­eftcny.sys

The library linkinfo.dll is loaded and injected into the following process:

  • explorer.exe

The virus may create the following files:

  • %windir%\­AppPatch\­AcPlugin.dll
  • %windir%\­AppPatch\­AcPlugin.dll.new
  • %temp%\­%variable%

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­cdralw]
    • "ErrorControl" = 0
    • "Start" = 2
    • "Type" = 1
    • "Tag" = 7
    • "Group" = "Pointer Port"
    • "ImagePath" = "system32\­DRIVERS\­nvmini.sys"
    • "DisplayName" = "NVIDIA Compatible Windows Miniport Driver"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­cdralw\­Security]
    • "Security"= "%variable%"

The virus may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Google]
    • "Version" = "%variable%"
    • "%number%" = "%variable%"

A string with variable content is used instead of %number%, %variable% .

File infection

Win32/Alman.NAB is a polymorphic file infector.


The virus searches local and network drives for files with one of the following extensions:

  • .exe

Executables are infected by appending the code of the virus to the last section.


The host file is modified in a way that causes the virus to be executed prior to running the original code.


It avoids files which contain any of the following strings in their path:

  • QQ
  • WINNT
  • WINDOWS
  • LOCAL SETTINGS\­TEMP

Files with the following names are not infected:

  • zhengtu.exe
  • audition.exe
  • kartrider.exe
  • nmservice.exe
  • ca.exe
  • nmcosrv.exe
  • nsstarter.exe
  • maplestory.exe
  • neuz.exe
  • zfs.exe
  • gc.exe
  • mts.exe
  • hs.exe
  • mhclient-connect.exe
  • dragonraja.exe
  • nbt-dragonraja2006.exe
  • wb-service.exe
  • game.exe
  • xlqy2.exe
  • sealspeed.exe
  • asktao.exe
  • dbfsupdate.exe
  • autoupdate.exe
  • dk2.exe
  • main.exe
  • userpic.exe
  • zuonline.exe
  • config.exe
  • mjonline.exe
  • patcher.exe
  • meteor.exe
  • cabalmain.exe
  • cabalmain9x.exe
  • cabal.exe
  • au_unins_web.exe
  • xy2.exe
  • flyff.exe
  • xy2player.exe
  • trojankiller.exe
  • patchupdate.exe
  • ztconfig.exe
  • woool.exe
  • wooolcfg.exe
  • wow.exe
  • repair.exe
  • launcher.exe
Spreading via shared folders

The virus searches for computers in the local network.


It tries to copy itself into the root folder of the C:\ drive on a remote machine using the following name:

  • setup.exe

The file is then remotely executed.


The following usernames are used:

  • Administrator

The following passwords are used:

  • (empty password)
  • admin
  • 1
  • 111
  • 123
  • aaa
  • 12345
  • 123456789
  • 654321
  • !@#$
  • asdf
  • asdfgh
  • !@#$%
  • !@#$%^
  • !@#$%^&
  • !@#$%^&*
  • !@#$%^&*(
  • !@#$%^&*()
  • qwer
  • admin123
  • love
  • test123
  • owner
  • mypass123
  • root
  • letmein
  • qwerty
  • abc123
  • password
  • monkey
  • password1
Information stealing

The following information is collected:

  • volume serial number
  • CPU information
  • operating system version
  • Internet Explorer version
  • installed antivirus software

The virus attempts to send gathered information to a remote machine.


The virus contains a list of URLs. The HTTP protocol is used in the communication.

Other information

The virus can download and execute a file from the Internet.


The file is stored in the following location:

  • %temp%\­%variable%
  • %windir%\­AppPatch\­AcPlugin.dll

The virus can modify the following file:

  • %system%\­drivers\­RsBoot.sys

The virus disables various security related applications.


The virus terminates processes with any of the following strings in the path:

  • sxs.exe
  • lying.exe
  • logo1_.exe
  • logo_1.exe
  • fuckjacks.exe
  • spoclsv.exe
  • nvscv32.exe
  • svch0st.exe
  • c0nime.exe
  • iexpl0re.exe
  • ssopure.exe
  • upxdnd.exe
  • wdfmgr32.exe
  • spo0lsv.exe
  • ncscv32.exe
  • iexpl0re.exe
  • ctmontv.exe
  • svhost32.exe
  • rundl132.exe
  • msvce32.exe
  • rpcs.exe
  • sysbmw.exe
  • tempicon.exe
  • sysload3.exe
  • run1132.exe
  • msdccrt.exe
  • wsvbs.exe
  • cmdbcs.exe
  • \­com\­lsass.exe
  • \­com\­smss.exe
  • \­winnt\­iexplore.exe
  • \­system\­internat.exe
  • \­winnt\­realschd.exe
  • \­windows\­iexplore.exe
  • \­windows\­realschd.exe
  • \­program files\­explorer.exe

The virus hooks the following Windows APIs:

  • ZwLoadDriver (ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe)
  • ZwEnumerateKey (ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe)
  • ZwClose (ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe)
  • ZwQueryDirectoryFile (ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe)
  • ZwSaveKey (ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe)
  • ZwDeleteKey (ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe)
  • ZwDeleteValueKey (ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe)

Please enable Javascript to ensure correct displaying of this content and refresh this page.