Virus:W32/Alman.B infects all executable files in the system. The virus propagates over a network. It also has rootkit capabilities.
Alman.B is a network virus/worm with rootkit features, so it requires specific disinfection instructions:
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
An earlier variant of this virus, Virus:W32/Alman.A, is also in the wild.
Variants of this family may be detected by the Generic Detection, Virus:W32/Alman.gen!A.
The virus infects EXE files that are not protected by Windows System File Check on local, removable, and remote drives. The virus does not infect files with these names:
The virus also doesn't infect files located in the following folders:
After the infected file is started the virus decrypts its body and drops two files:
The DLL is the main virus component. The SYS file is a rootkit component that hides certain files and Registry keys.
The dropped DLL file is injected into Windows Explorer process and runs with system privileges.
The virus terminates the following processes:
If the files that belong to terminated processes are located in specific folders, they are deleted.
To spread in a network the virus tries to connect to the IPC$ share with login "Administrator" and performs a dictionary attack on the admin password using these values:
If connection is successful, the virus copies itself as "Setup.exe" file to the root of the system drive and starts the copied file as a service.
Ask questions in our Community .
Check the user guide for instructions.
Submit a Sample
Submit a file or URL for analysis.