Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:W32/Alman.BB
Date discovered:28/12/2007
Type:File infector
In the wild:No
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:Medium to high
Static file:No
IVDF version:7.00.01.173 - Friday, December 28, 2007

 General Methods of propagation:
    Infects files
   • Local network


Aliases:
   •  Symantec: W32.Almanahe.B
   •  Kaspersky: Virus.Win32.Alman.b
   •  F-Secure: Virus.Win32.Alman.b
   •  Sophos: W32/Alman-C
   •  Bitdefender: Win32.Almanahe.D
     AVG: Win32/Alman
   •  Eset: Win32/Alman.NAB


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
Infects files
   • Registry modification
   • Steals information

 Files  It deletes the following files:
   • %SYSDIR%\dllcache\linkinfo.dll
   • %SYSDIR%\linkinfo.dll



The following files are created:

%WINDIR%\linkinfo.dll
%SYSDIR%\drivers\RioDrvs.sys
%SYSDIR%\drivers\DKIS6.sys

 File infection Infector type:

Appender - The virus main code is added at the end of the infected file.


Stealth:
EPO (Entry Point Obscuring) - The infected file's EP (Entry Point) remains the same. The virus patches the program code to redirect execution to the viral code.


Self Modification:

Polymorphic - The entire virus code changes from one infection to another. The virus contains a polymorphic engine.


Method:

This direct-action infector actively searches for files.


Ignores files that:

Contain any of the following strings in their name:
   • wooolcfg.exe; woool.exe; ztconfig.exe; patchupdate.exe;
      trojankiller.exe; xy2player.exe; flyff.exe; xy2.exe; .exe;
      au_unins_web.exe; cabal.exe; cabalmain9x.exe; cabalmain.exe;
      meteor.exe; patcher.exe; mjonline.exe; config.exe; zuonline.exe;
      userpic.exe; main.exe; dk2.exe; autoupdate.exe; dbfsupdate.exe;
      asktao.exe; sealspeed.exe; xlqy2.exe; game.exe; wb-service.exe;
      nbt-dragonraja2006.exe; dragonraja.exe; mhclient-connect.exe; hs.exe;
      mts.exe; gc.exe; zfs.exe; neuz.exe; maplestory.exe; nsstarter.exe;
      nmcosrv.exe; ca.exe; nmservice.exe; kartrider.exe; audition.exe;
      zhengtu.exe


The following files are infected:

By file type:
   • *.exe

 Registry The following registry keys are added in order to load the service after reboot:

HKLM\SYSTEM\CurrentControlSet\Services\RioDrvs
   • "ImagePath"="%SYSDIR%\drivers\RioDrvs.sys"
   • "DisplayName"="RioDrvs Usb Driver"

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops a copy of itself to the following network share:
   • C$\Ins.exe


It uses the following login information in order to gain access to the remote machine:

The following username:
   • Administrator

The following list of passwords:
   • zxcv; qazwsx; qaz; qwer; !@; $%^&*(); !@; $%^&*(; !@; $%^&*; !@; $%^&;
      !@; $%^; !@; $%; asdfgh; asdf; !@; $; 654321; 123456; 12345; 1234;
      123; 111; 1; admin


 Process termination It tries to terminate the following processes and delete the corresponding files:
   • realschd.exe; cmdbcs.exe; wsvbs.exe; msdccrt.exe; run1132.exe;
      sysload3.exe; tempicon.exe; sysbmw.exe; rpcs.exe; msvce32.exe;
      rundl132.exe; svhost32.exe; smss.exe; lsass.exe; internat.exe;
      explorer.exe; ctmontv.exe; iexplore.exe; ncscv32.exe; spo0lsv.exe;
      wdfmgr32.exe; upxdnd.exe; ssopure.exe; iexpl0re.exe; c0nime.exe;
      svch0st.exe; nvscv32.exe; spoclsv.exe; f*ckjacks.exe; logo_1.exe;
      logo1_.exe; lying.exe; sxs.exe


 Injection – It injects itself into a process.

    Process name:
   • iexplore.exe


 Miscellaneous Accesses internet resources:
   • http://tj.**********rldwide.com/co.asp?action=post&HD=%unknown%&OT=%unknown%&IV=%unknown%&AV=%unknown%
   • http://soft.**********rldwide.com/z.dat


Mutex:
It creates the following Mutex:
   • __DL_CORE_MUTEX__

Description inserted by Razvan Olteanu on Thursday, December 2, 2010
Description updated by Andrei Gherman on Monday, February 7, 2011

Back . . . .