Win32/Alman [Threat Name] go to Threat

Win32/Alman.NAD [Threat Variant Name]

Category virus
Size 36352 B
Detection created Oct 24, 2007
Signature database version 2613
Aliases Virus.Win32.Alman.b (Kaspersky)
  W32.Almanahe.B!inf (Symantec)
  W32/Almanahe.c (McAfee)
Short description

Win32/Alman.NAD is a polymorphic file infector. It uses techniques common for rootkits.

Installation

When executed the virus drops in folder %windir% the following file:

  • linkinfo.dll (53248 B)

The following files are dropped into the %system%\drivers folder:

  • cdralw.sys (15872 B)
  • IsDrv122.sys (15872 B)

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%variable%]
    • "DisplayName" = "NVIDIA Compatible Windows Miniport Driver"
    • "ImagePath" = "%system%\­drivers\­%variable%.sys"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_%variable%]
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_%variable%\­0000]
    • "Service" = "%variable%"
    • "Legacy" = 1
    • "ConfigFlags" = 0
    • "Class" = "LegacyDriver"
    • "ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • "DeviceDesc" = "%variable%"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_%variable%\­0000\­Control]
    • "NewlyCreated" = 0
    • "ActiveService" = "%variable%"

The %variable% is one of the following strings:

  • nvmini
  • cdralw
Executable file infection

Win32/Alman.NAD is a polymorphic file infector.


The virus infects executable files.


The virus searches local drives for files with the following file extensions:

  • .exe

It avoids files which contain any of the following strings in their path:

  • LOCAL SETTINGS\­TEMP\­
  • \­QQ
  • \­WINDOWS\­
  • \­WINNT\­

It avoids files with the following filenames:

  • asktao.exe
  • au_unins_web.exe
  • audition.exe
  • autoupdate.exe
  • ca.exe
  • cabal.exe
  • cabalmain.exe
  • cabalmain9x.exe
  • config.exe
  • dbfsupdate.exe
  • dk2.exe
  • dragonraja.exe
  • flyff.exe
  • game.exe
  • gc.exe
  • hs.exe
  • kartrider.exe
  • main.exe
  • maplestory.exe
  • meteor.exe
  • mhclient-connect.exe
  • mjonline.exe
  • mts.exe
  • nbt-dragonraja2006.exe
  • neuz.exe
  • nmcosrv.exe
  • nmservice.exe
  • nsstarter.exe
  • patcher.exe
  • patchupdate.exe
  • sealspeed.exe
  • trojankiller.exe
  • userpic.exe
  • wb-service.exe
  • woool.exe
  • wooolcfg.exe
  • xlqy2.exe
  • xy2.exe
  • xy2player.exe
  • zfs.exe
  • ztconfig.exe
  • zuonline.exe
  • launcher.exe
  • repair.exe
  • wow.exe
  • zhengtu.exe
  • 大话西游.exe

Executables are infected by appending the code of the virus to the last section.


The host file is modified in a way that causes the virus to be executed prior to running the original code.


The size of the inserted code is 36352 B .

Spreading via shared folders

The virus searches for network drives.


It tries to copy itself into the root folder of the C:\ drive on a remote machine using the following name:

  • setup.exe

The file is then remotely executed.


The following usernames are used:

  • Administrator

The following passwords are used:

  • admin
  • 1
  • 111
  • 123
  • aaa
  • 12345
  • 123456789
  • 654321
  • !@#$
  • asdf
  • asdfgh
  • !@#$%
  • !@#$%^
  • !@#$%^&
  • !@#$%^&*
  • !@#$%^&*(
  • !@#$%^&*()
  • qwer
  • admin123
  • love
  • test123
  • owner
  • mypass123
  • root
  • letmein
  • qwerty
  • abc123
  • password
  • monkey
  • password1
Other information

The following programs are terminated:

  • c0nime.exe
  • cmdbcs.exe
  • ctmontv.exe
  • explorer.exe
  • fuckjacks.exe
  • iexpl0re.exe
  • iexpl0re.exe
  • iexplore.exe
  • internat.exe
  • logo_1.exe
  • logo1_.exe
  • lsass.exe
  • lying.exe
  • msdccrt.exe
  • msvce32.exe
  • ncscv32.exe
  • nvscv32.exe
  • realschd.exe
  • rpcs.exe
  • run1132.exe
  • rundl132.exe
  • smss.exe
  • spo0lsv.exe
  • spoclsv.exe
  • ssopure.exe
  • svhost32.exe
  • svch0st.exe
  • sxs.exe
  • sysbmw.exe
  • sysload3.exe
  • tempicon.exe
  • upxdnd.exe
  • wdfmgr32.exe
  • wsvbs.exe

Then the virus deletes these files.


The virus may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Google]

The virus may turn off the computer.


The virus can download and execute a file from the Internet. The virus contains a URL address.

Please enable Javascript to ensure correct displaying of this content and refresh this page.