Threat Descriptions

Virus:W32/Alman.B

Classification

Category :

Malware

Type :

Virus

Platform :

W32

Aliases :

Virus.Win32.Alman.b, Win32.almanahe.b, Alman.b

Summary

Virus:W32/Alman.B infects all executable files in the system. The virus propagates over a network. It also has rootkit capabilities.

Removal

Manual Network Disinfection

Alman.B is a network virus/worm with rootkit features, so it requires specific disinfection instructions:

  • Stop all network sharing or completely disconnect from the network
  • Set disinfection action for real-time scanner to "Disinfect Automatically"
  • Perform a full computer scan with F-Secure Anti-Virus
  • Select "Disinfect" action for all infected files
  • Files that can not be disinfected should be quarantined or deleted (select appropriate action manually)
  • Files dropped by the virus: "linkinfo.dll", "nvmini.sys" and "IsDrv118.sys" should be deleted or quarantined
  • Broken infected files should be restored from a backup
  • After disinfection restart a computer
  • After restart perform a full scan again to make sure that no infection is left
  • Enable sharing or reconnect the network ONLY after ALL computers are disinfected, otherwise a single infected workstation can re-infect the whole network
  • Make sure that all network shares have strong passwords
  • After disinfection set the default disinfection action for real-time scanner to "Ask After Scan" if needed

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

An earlier variant of this virus, Virus:W32/Alman.A, is also in the wild.

Variants of this family may be detected by the Generic Detection, Virus:W32/Alman.gen!A.

Infection

The virus infects EXE files that are not protected by Windows System File Check on local, removable, and remote drives. The virus does not infect files with these names:

  • asktao.exe
  • au_unins_web.exe
  • audition.exe
  • autoupdate.exe
  • ca.exe
  • cabal.exe
  • cabalmain.exe
  • cabalmain9x.exe
  • config.exe
  • dbfsupdate.exe
  • dk2.exe
  • dragonraja.exe
  • flyff.exe
  • game.exe
  • gc.exe
  • hs.exe
  • kartrider.exe
  • main.exe
  • maplestory.exe
  • meteor.exe
  • mhclient-connect.exe
  • mjonline.exe
  • mts.exe
  • nbt-dragonraja2006.exe
  • neuz.exe
  • nmcosrv.exe
  • nmservice.exe
  • nsstarter.exe
  • patcher.exe
  • patchupdate.exe
  • sealspeed.exe
  • trojankiller.exe
  • userpic.exe
  • wb-service.exe
  • woool.exe
  • wooolcfg.exe
  • xlqy2.exe
  • xy2.exe
  • xy2player.exe
  • zfs.exe
  • zhengtu.exe
  • ztconfig.exe
  • zuonline.exe

The virus also doesn't infect files located in the following folders:

  • \LOCAL SETTINGS\TEMP\
  • \QQ
  • \WINDOWS\
  • \WINNT\

Payload

After the infected file is started the virus decrypts its body and drops two files:

  • %WinDir%\linkinfo.dll
  • %WinSysDir%\drivers\IsDrv118.sys

The DLL is the main virus component. The SYS file is a rootkit component that hides certain files and Registry keys.

The dropped DLL file is injected into Windows Explorer process and runs with system privileges.

The virus terminates the following processes:

  • c0nime.exe
  • cmdbcs.exe
  • ctmontv.exe
  • explorer.exe
  • fuckjacks.exe
  • iexpl0re.exe
  • iexpl0re.exe
  • iexplore.exe
  • internat.exe
  • logo_1.exe
  • logo1_.exe
  • lsass.exe
  • lying.exe
  • msdccrt.exe
  • msvce32.exe
  • ncscv32.exe
  • nvscv32.exe
  • realschd.exe
  • rpcs.exe
  • run1132.exe
  • rundl132.exe
  • smss.exe
  • spo0lsv.exe
  • spoclsv.exe
  • ssopure.exe
  • svch0st.exe
  • svhost32.exe
  • sxs.exe
  • sysbmw.exe
  • sysload3.exe
  • tempicon.exe
  • upxdnd.exe
  • wdfmgr32.exe
  • wsvbs.exe

If the files that belong to terminated processes are located in specific folders, they are deleted.

Propagation

To spread in a network the virus tries to connect to the IPC$ share with login "Administrator" and performs a dictionary attack on the admin password using these values:

  • admin
  • aaa
  • !@#$
  • asdf
  • asdfgh
  • !@#$%
  • !@#$%^
  • !@#$%^&
  • !@#$%^&*
  • !@#$%^&*(
  • !@#$%^&*()
  • qwer
  • admin123
  • love
  • test123
  • owner
  • mypass123
  • root
  • letmein
  • qwerty
  • abc123
  • password
  • monkey
  • password1
  • 1
  • 111
  • 123
  • 12345
  • 654321
  • 123456789

If connection is successful, the virus copies itself as "Setup.exe" file to the root of the system drive and starts the copied file as a service.