Virus: W32/Almanahe.B
Date discovered: 14/06/2007
Type: File infector
In the wild: Yes
Reported Infections: Low to medium
Distribution Potential: Medium to high
Damage Potential: Medium to high
Static file: No
IVDF version: 6.39.00.12 - Thu, 14 Jun 2007 09:01 (GMT+1)
General Method of propagation:
• Local network
Aliases:
• Symantec: W32.Almanahe.B
• Mcafee: W32/Almanahe.c virus
• Kaspersky: Virus.Win32.Alman.b
• TrendMicro: PE_CORELINK.C-1
• F-Secure: Virus.Win32.Alman.b
• Sophos: W32/Alman-C
• Panda: W32/Almanahe.C
• Grisoft: Win32/Alman
• VirusBuster: Win32.Alman.B
• Eset: Win32/Alman.NAB virus
• Bitdefender: Win32.Almanahe.D
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Drops malicious files
• Makes use of software vulnerability
Files The following files are created:
– %WINDIR%\linkinfo.dll Further investigation pointed out that this file is malware, too. Detected as: W32/Rectix.A
– %SYSDIR%\drivers\IsDrv118.sys Further investigation pointed out that this file is malware, too. Detected as: Rkit/Agent.GA
– %SYSDIR%\drivers\nvmini.sys Further investigation pointed out that this file is malware, too. Detected as: Rkit/Agent.GA
File infection Method:
This direct-action infector actively searches for files.
Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.
It uses the following login information in order to gain access to the remote machine:
– The following username:
• Administrator
– The following list of passwords:
• admin; aaa; !@; $; asdf; asdfgh; !@; $%; !@; $%^; !@; $%^&; !@; $%^&*;
!@; $%^&*(; !@; $%^&*(); qwer; admin123; love; test123; owner;
mypass123; root; letmein; qwerty; abc123; password; monkey; password1;
1; 111; 123; 12345; 654321; 123456789
Process termination List of processes that are terminated:
• c0nime.exe; cmdbcs.exe; ctmontv.exe; explorer.exe; fuckjacks.exe;
iexpl0re.exe; iexpl0re.exe; iexplore.exe; internat.exe; logo_1.exe;
logo1_.exe; lsass.exe; lying.exe; msdccrt.exe; msvce32.exe;
ncscv32.exe; nvscv32.exe; realschd.exe; rpcs.exe; run1132.exe;
rundl132.exe; smss.exe; spo0lsv.exe; spoclsv.exe; ssopure.exe;
svch0st.exe; svhost32.exe; sxs.exe; sysbmw.exe; sysload3.exe;
tempicon.exe; upxdnd.exe; wdfmgr32.exe; wsvbs.exe
Injection – It injects the following file into a process: linkinfo.dll
Process name:
• explorer.exe
Rootkit Technology Hides the following:
– The following files:
• autorun.inf
• boot.exe
• linkinfo.dll
• nvmini.sys
– Registry keys that contain the following substring:
• nvmini
Download Tool for Remove >> Here !!
Date discovered: 14/06/2007
Type: File infector
In the wild: Yes
Reported Infections: Low to medium
Distribution Potential: Medium to high
Damage Potential: Medium to high
Static file: No
IVDF version: 6.39.00.12 - Thu, 14 Jun 2007 09:01 (GMT+1)
General Method of propagation:
• Local network
Aliases:
• Symantec: W32.Almanahe.B
• Mcafee: W32/Almanahe.c virus
• Kaspersky: Virus.Win32.Alman.b
• TrendMicro: PE_CORELINK.C-1
• F-Secure: Virus.Win32.Alman.b
• Sophos: W32/Alman-C
• Panda: W32/Almanahe.C
• Grisoft: Win32/Alman
• VirusBuster: Win32.Alman.B
• Eset: Win32/Alman.NAB virus
• Bitdefender: Win32.Almanahe.D
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Drops malicious files
• Makes use of software vulnerability
Files The following files are created:
– %WINDIR%\linkinfo.dll Further investigation pointed out that this file is malware, too. Detected as: W32/Rectix.A
– %SYSDIR%\drivers\IsDrv118.sys Further investigation pointed out that this file is malware, too. Detected as: Rkit/Agent.GA
– %SYSDIR%\drivers\nvmini.sys Further investigation pointed out that this file is malware, too. Detected as: Rkit/Agent.GA
File infection Method:
This direct-action infector actively searches for files.
Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.
It uses the following login information in order to gain access to the remote machine:
– The following username:
• Administrator
– The following list of passwords:
• admin; aaa; !@; $; asdf; asdfgh; !@; $%; !@; $%^; !@; $%^&; !@; $%^&*;
!@; $%^&*(; !@; $%^&*(); qwer; admin123; love; test123; owner;
mypass123; root; letmein; qwerty; abc123; password; monkey; password1;
1; 111; 123; 12345; 654321; 123456789
Process termination List of processes that are terminated:
• c0nime.exe; cmdbcs.exe; ctmontv.exe; explorer.exe; fuckjacks.exe;
iexpl0re.exe; iexpl0re.exe; iexplore.exe; internat.exe; logo_1.exe;
logo1_.exe; lsass.exe; lying.exe; msdccrt.exe; msvce32.exe;
ncscv32.exe; nvscv32.exe; realschd.exe; rpcs.exe; run1132.exe;
rundl132.exe; smss.exe; spo0lsv.exe; spoclsv.exe; ssopure.exe;
svch0st.exe; svhost32.exe; sxs.exe; sysbmw.exe; sysload3.exe;
tempicon.exe; upxdnd.exe; wdfmgr32.exe; wsvbs.exe
Injection – It injects the following file into a process: linkinfo.dll
Process name:
• explorer.exe
Rootkit Technology Hides the following:
– The following files:
• autorun.inf
• boot.exe
• linkinfo.dll
• nvmini.sys
– Registry keys that contain the following substring:
• nvmini
Download Tool for Remove >> Here !!
January 25, 2010 at 12:30 AM
Thanks for share useful information. I like this post. I am follow your blog.