Virus:W32/Alman.B infects all executable files in the system. The virus propagates over a network. It also has rootkit capabilities.
Manual Network Disinfection
Alman.B is a network virus/worm with rootkit features, so it requires specific disinfection instructions:
- Stop all network sharing or completely disconnect from the network
- Set disinfection action for real-time scanner to "Disinfect Automatically"
- Perform a full computer scan with F-Secure Anti-Virus
- Select "Disinfect" action for all infected files
- Files that can not be disinfected should be quarantined or deleted (select appropriate action manually)
- Files dropped by the virus: "linkinfo.dll", "nvmini.sys" and "IsDrv118.sys" should be deleted or quarantined
- Broken infected files should be restored from a backup
- After disinfection restart a computer
- After restart perform a full scan again to make sure that no infection is left
- Enable sharing or reconnect the network ONLY after ALL computers are disinfected, otherwise a single infected workstation can re-infect the whole network
- Make sure that all network shares have strong passwords
- After disinfection set the default disinfection action for real-time scanner to "Ask After Scan" if needed
An earlier variant of this virus, Virus:W32/Alman.A, is also in the wild.
Variants of this family may be detected by the Generic Detection, Virus:W32/Alman.gen!A.
The virus infects EXE files that are not protected by Windows System File Check on local, removable, and remote drives. The virus does not infect files with these names:
The virus also doesn't infect files located in the following folders:
- \LOCAL SETTINGS\TEMP\
After the infected file is started the virus decrypts its body and drops two files:
The DLL is the main virus component. The SYS file is a rootkit component that hides certain files and Registry keys.
The dropped DLL file is injected into Windows Explorer process and runs with system privileges.
The virus terminates the following processes:
If the files that belong to terminated processes are located in specific folders, they are deleted.
To spread in a network the virus tries to connect to the IPC$ share with login "Administrator" and performs a dictionary attack on the admin password using these values:
If connection is successful, the virus copies itself as "Setup.exe" file to the root of the system drive and starts the copied file as a service.
F-Secure Anti-Virus detects this malware with the following updates:
Detection Type: PC
Description Created: 2007-04-18 01:43:53.0
Description Last Modified: 2009-10-19 05:58:57.0