Virus:W32/Alman.B infects all executable files in the system. The virus propagates over a network. It also has rootkit capabilities.
Alman.B is a network virus/worm with rootkit features, so it requires specific disinfection instructions:
An earlier variant of this virus, Virus:W32/Alman.A, is also in the wild.
Variants of this family may be detected by the Generic Detection, Virus:W32/Alman.gen!A.
The virus infects EXE files that are not protected by Windows System File Check on local, removable, and remote drives. The virus does not infect files with these names:
The virus also doesn't infect files located in the following folders:
After the infected file is started the virus decrypts its body and drops two files:
The DLL is the main virus component. The SYS file is a rootkit component that hides certain files and Registry keys.
The dropped DLL file is injected into Windows Explorer process and runs with system privileges.
The virus terminates the following processes:
If the files that belong to terminated processes are located in specific folders, they are deleted.
To spread in a network the virus tries to connect to the IPC$ share with login "Administrator" and performs a dictionary attack on the admin password using these values:
If connection is successful, the virus copies itself as "Setup.exe" file to the root of the system drive and starts the copied file as a service.
F-Secure Anti-Virus detects this malware with the following updates:
Detection Type: PC
Description Created: 2007-04-18 01:43:53.0
Description Last Modified: 2009-10-19 05:58:57.0