Full description

Virus:	W32/Almanahe.B
Date discovered:	14/06/2007
Type:	File infector
In the wild:	Yes
Reported Infections:	Low to medium
Distribution Potential:	Medium to high
Damage Potential:	Medium to high
Static file:	No
IVDF version:	6.39.00.12 - Thursday, June 14, 2007

General Method of propagation:
   • Local network

Aliases:
   • Symantec: W32.Almanahe.B
   • Mcafee: W32/Almanahe.c virus
   • Kaspersky: Virus.Win32.Alman.b
   • TrendMicro: PE_CORELINK.C-1
   • F-Secure: Virus.Win32.Alman.b
   • Sophos: W32/Alman-C
   • Panda: W32/Almanahe.C
   • Grisoft: Win32/Alman
   • VirusBuster: Win32.Alman.B
   • Eset: Win32/Alman.NAB virus
   • Bitdefender: Win32.Almanahe.D

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops malicious files
   • Makes use of software vulnerability

Files The following files are created:

– %WINDIR%\linkinfo.dll Further investigation pointed out that this file is malware, too. Detected as: W32/Rectix.A

– %SYSDIR%\drivers\IsDrv118.sys Further investigation pointed out that this file is malware, too. Detected as: Rkit/Agent.GA

– %SYSDIR%\drivers\nvmini.sys Further investigation pointed out that this file is malware, too. Detected as: Rkit/Agent.GA

File infection Method:

This direct-action infector actively searches for files.

Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It uses the following login information in order to gain access to the remote machine:

– The following username:
   • Administrator

– The following list of passwords:
   • admin; aaa; !@; $; asdf; asdfgh; !@; $%; !@; $%^; !@; $%^&; !@; $%^&*;
      !@; $%^&*(; !@; $%^&*(); qwer; admin123; love; test123; owner;
      mypass123; root; letmein; qwerty; abc123; password; monkey; password1;
      1; 111; 123; 12345; 654321; 123456789

Process termination List of processes that are terminated:
   • c0nime.exe; cmdbcs.exe; ctmontv.exe; explorer.exe; fuckjacks.exe;
      iexpl0re.exe; iexpl0re.exe; iexplore.exe; internat.exe; logo_1.exe;
      logo1_.exe; lsass.exe; lying.exe; msdccrt.exe; msvce32.exe;
      ncscv32.exe; nvscv32.exe; realschd.exe; rpcs.exe; run1132.exe;
      rundl132.exe; smss.exe; spo0lsv.exe; spoclsv.exe; ssopure.exe;
      svch0st.exe; svhost32.exe; sxs.exe; sysbmw.exe; sysload3.exe;
      tempicon.exe; upxdnd.exe; wdfmgr32.exe; wsvbs.exe

Injection – It injects the following file into a process: linkinfo.dll

Process name:
• explorer.exe

Rootkit Technology Hides the following:

– The following files:
   • autorun.inf
   • boot.exe
   • linkinfo.dll
   • nvmini.sys

– Registry keys that contain the following substring:
   • nvmini

Description inserted by Thomas Wegele on Tuesday, October 14, 2008
Description updated by Thomas Wegele on Tuesday, October 14, 2008

Back . . . .