Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

You are here:ThreatsVirus and threats descriptionsVirus:W32/Alman.B

Virus:W32/Alman.B


Aliases:

Virus.Win32.Alman.b
Win32.almanahe.b
Alman.b

Malware
Net-Worm, Rootkit
W32

Summary

A program that secretly and maliciously integrates itself into program or data files. It spreads by integrating itself into more files each time the host program is run.



Disinfection & Removal


Manual Network Disinfection

Alman.B is a network virus/worm with rootkit features, so it requires specific disinfection instructions:

  • Stop all network sharing or completely disconnect from the network
  • Set disinfection action for real-time scanner to "Disinfect Automatically"
  • Perform a full computer scan with F-Secure Anti-Virus
  • Select "Disinfect" action for all infected files
  • Files that can not be disinfected should be quarantined or deleted (select appropriate action manually)
  • Files dropped by the virus: "linkinfo.dll", "nvmini.sys" and "IsDrv118.sys" should be deleted or quarantined
  • Broken infected files should be restored from a backup
  • After disinfection restart a computer
  • After restart perform a full scan again to make sure that no infection is left
  • Enable sharing or reconnect the network ONLY after ALL computers are disinfected, otherwise a single infected workstation can re-infect the whole network
  • Make sure that all network shares have strong passwords
  • After disinfection set the default disinfection action for real-time scanner to "Ask After Scan" if needed


Technical Details

Virus:W32/Alman.B infects all executable files in the system. The virus propagates over a network. It also has rootkit capabilities.

An earlier variant of this virus, Virus:W32/Alman.A, is also in the wild.

Variants of this family may be detected by the Generic Detection, Virus:W32/Alman.gen!A.


Infection

The virus infects EXE files that are not protected by Windows System File Check on local, removable, and remote drives. The virus does not infect files with these names:

  • asktao.exe
  • au_unins_web.exe
  • audition.exe
  • autoupdate.exe
  • ca.exe
  • cabal.exe
  • cabalmain.exe
  • cabalmain9x.exe
  • config.exe
  • dbfsupdate.exe
  • dk2.exe
  • dragonraja.exe
  • flyff.exe
  • game.exe
  • gc.exe
  • hs.exe
  • kartrider.exe
  • main.exe
  • maplestory.exe
  • meteor.exe
  • mhclient-connect.exe
  • mjonline.exe
  • mts.exe
  • nbt-dragonraja2006.exe
  • neuz.exe
  • nmcosrv.exe
  • nmservice.exe
  • nsstarter.exe
  • patcher.exe
  • patchupdate.exe
  • sealspeed.exe
  • trojankiller.exe
  • userpic.exe
  • wb-service.exe
  • woool.exe
  • wooolcfg.exe
  • xlqy2.exe
  • xy2.exe
  • xy2player.exe
  • zfs.exe
  • zhengtu.exe
  • ztconfig.exe
  • zuonline.exe

The virus also doesn't infect files located in the following folders:

  • \LOCAL SETTINGS\TEMP\
  • \QQ
  • \WINDOWS\
  • \WINNT\

Payload

After the infected file is started the virus decrypts its body and drops two files:

  • %WinDir%\linkinfo.dll
  • %WinSysDir%\drivers\IsDrv118.sys

The DLL is the main virus component. The SYS file is a rootkit component that hides certain files and Registry keys.

The dropped DLL file is injected into Windows Explorer process and runs with system privileges.

The virus terminates the following processes:

  • c0nime.exe
  • cmdbcs.exe
  • ctmontv.exe
  • explorer.exe
  • fuckjacks.exe
  • iexpl0re.exe
  • iexpl0re.exe
  • iexplore.exe
  • internat.exe
  • logo_1.exe
  • logo1_.exe
  • lsass.exe
  • lying.exe
  • msdccrt.exe
  • msvce32.exe
  • ncscv32.exe
  • nvscv32.exe
  • realschd.exe
  • rpcs.exe
  • run1132.exe
  • rundl132.exe
  • smss.exe
  • spo0lsv.exe
  • spoclsv.exe
  • ssopure.exe
  • svch0st.exe
  • svhost32.exe
  • sxs.exe
  • sysbmw.exe
  • sysload3.exe
  • tempicon.exe
  • upxdnd.exe
  • wdfmgr32.exe
  • wsvbs.exe

If the files that belong to terminated processes are located in specific folders, they are deleted.


Propagation

To spread in a network the virus tries to connect to the IPC$ share with login "Administrator" and performs a dictionary attack on the admin password using these values:

  • admin
  • aaa
  • !@#$
  • asdf
  • asdfgh
  • !@#$%
  • !@#$%^
  • !@#$%^&
  • !@#$%^&*
  • !@#$%^&*(
  • !@#$%^&*()
  • qwer
  • admin123
  • love
  • test123
  • owner
  • mypass123
  • root
  • letmein
  • qwerty
  • abc123
  • password
  • monkey
  • password1
  • 1
  • 111
  • 123
  • 12345
  • 654321
  • 123456789

If connection is successful, the virus copies itself as "Setup.exe" file to the root of the system drive and starts the copied file as a service.



Detection

F-Secure Anti-Virus detects this malware with the following updates:

Detection Type: PC
Database: 2007-06-06_03



Description Created: 2007-04-18 01:43:53.0

Description Last Modified: 2009-10-19 05:58:57.0



Submit a sample

Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)



Submit

F-Secure Community

Give advice. Get advice. Share the knowledge on our free discussion forum.



Go to Community