Win32/Alman [Threat Name] go to Threat

Win32/Alman.NAE [Threat Variant Name]

Category virus
Detection created Apr 03, 2010
Signature database version 4996
Aliases Trojan-Dropper.Win32.Agent.dlo (Kaspersky)
  Trojan:Win32/Almanahe.B.dll (Microsoft)
  W32.Almanahe.B!inf (Symantec)
  Win32.Alman.C (BitDefender)
Short description

Win32/Alman.NAE is a file infector. It uses techniques common for rootkits.

Installation

When executed, the virus creates the following files:

  • %windir%\­linkinfo.dll (53248 B, Win32/Alman.NAD)
  • %windir%\­drivers\­IsDrv122.sys (15872 B, Win32/Alman.NAD)
  • %windir%\­drivers\­cdralw.sys (15872 B, Win32/Alman.NAD)

The library linkinfo.dll is loaded and injected into the following process:

  • explorer.exe

The virus may create the following files:

  • %windir%\­AppPatch\­AcPlugin.dll

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Enum\­Root\­LEGACY_CDRALW\­0000]
    • "Service" = "cdralw"
    • "Legacy" = 1
    • "ConfigFlags" = 0
    • "Class" = "LegacyDriver"
    • "DeviceDesc" = "cdralw"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Enum\­Root\­LEGACY_CDRALW\­0000\­Control]
    • "*NewlyCreated*" = 0
    • "ActiveService" = "cdralw"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­cdralw]
    • "Type" = 1
    • "Start" = 2
    • "ErrorControl" = 0
    • "ImagePath" = "system32\­DRIVERS\­nvmini.sys"
    • "DisplayName" = "NVIDIA Compatible Windows Miniport Driver"
    • "Tag" = 7
    • "Group" = "Pointer Port"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­cdralw\­Enum]
    • "0" = "Root\­\­LEGACY_CDRALW\­\­0000"
    • "Count" = 1
    • "NextInstance" = 1
    • "INITSTARTFAILED" = 1
Executable file infection

Win32/Alman.NAE is a file infector.


The virus searches local and network drives for files with one of the following extensions:

  • *.exe

Executables are infected by appending the code of the virus to the last section.


The host file is modified in a way that causes the virus to be executed prior to running the original code.


It avoids files which contain any of the following strings in their path:

  • \­QQ
  • \­WINNT\­
  • \­WINDOWS\­
  • \­LOCAL SETTINGS\­TEMP\­

Files with the following names are not infected:

  • zhengtu.exe
  • audition.exe
  • kartrider.exe
  • nmservice.exe
  • ca.exe
  • nmcosrv.exe
  • nsstarter.exe
  • maplestory.exe
  • neuz.exe
  • zfs.exe
  • gc.exe
  • mts.exe
  • hs.exe
  • mhclient-connect.exe
  • dragonraja.exe
  • nbt-dragonraja2006.exe
  • wb-service.exe
  • game.exe
  • xlqy2.exe
  • sealspeed.exe
  • asktao.exe
  • dbfsupdate.exe
  • autoupdate.exe
  • dk2.exe
  • main.exe
  • userpic.exe
  • zuonline.exe
  • config.exe
  • mjonline.exe
  • patcher.exe
  • meteor.exe
  • cabalmain.exe
  • cabalmain9x.exe
  • cabal.exe
  • au_unins_web.exe
  • 大话西游.exe
  • xy2.exe
  • flyff.exe
  • xy2player.exe
  • trojankiller.exe
  • patchupdate.exe
  • ztconfig.exe
  • woool.exe
  • wooolcfg.exe
  • wow.exe
  • repair.exe
  • launcher.exe
Spreading via shared folders

The virus searches for computers in the local network.


It tries to copy itself into the root folder of the C:\ drive on a remote machine using the following name:

  • setup.exe

The file is then remotely executed.


The following usernames are used:

  • Administrator

The following passwords are used:

  • admin
  • 1
  • 111
  • 123
  • aaa
  • 12345
  • 123456789
  • 654321
  • !@#$
  • asdf
  • asdfgh
  • !@#$%
  • !@#$%^
  • !@#$%^&
  • !@#$%^&*
  • !@#$%^&*(
  • !@#$%^&*()
  • qwer
  • admin123
  • love
  • test123
  • owner
  • mypass123
  • root
  • letmein
  • qwerty
  • abc123
  • password
  • monkey
  • password1
Other information

The virus collects the following information:

  • operating system version
  • Internet Explorer version
  • installed antivirus software

The virus can send the information to a remote machine. The HTTP protocol is used.


The virus can download and execute a file from the Internet.


The file is stored in the following location:

  • %windir%\­AppPatch\­AcPlugin.dll

The virus disables various security related applications.


The following programs are terminated:

  • sxs.exe
  • lying.exe
  • logo1_.exe
  • logo_1.exe
  • fuckjacks.exe
  • spoclsv.exe
  • nvscv32.exe
  • svch0st.exe
  • c0nime.exe
  • iexpl0re.exe
  • ssopure.exe
  • upxdnd.exe
  • wdfmgr32.exe
  • spo0lsv.exe
  • ncscv32.exe
  • iexplore.exe
  • iexpl0re.exe
  • ctmontv.exe
  • explorer.exe
  • internat.exe
  • lsass.exe
  • smss.exe
  • svhost32.exe
  • rundl132.exe
  • msvce32.exe
  • rpcs.exe
  • sysbmw.exe
  • tempicon.exe
  • sysload3.exe
  • run1132.exe
  • msdccrt.exe
  • wsvbs.exe
  • cmdbcs.exe
  • realschd.exe

The virus can modify the following file:

  • %windir%\­system32\­drivers\­RsBoot.sys

The virus hooks the following Windows APIs:

  • ZwLoadDriver (ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe)
  • ZwEnumerateKey (ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe)
  • ZwClose (ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe)
  • ZwQueryDirectoryFile (ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe)
  • ZwSaveKey (ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe)
  • ZwDeleteKey (ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe)
  • ZwDeleteValueKey (ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe)

Please enable Javascript to ensure correct displaying of this content and refresh this page.