My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Almanahe.D

LOW
MEDIUM
approx. 52kB + 15 kB
(Almanahe)

Symptoms

Presence of the specified files.
Size of executable files increased with approximately 36 kB.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Dan Anton, virus researcher

Technical Description:

Win32.Almanahe.D is a polymorphic file infector that affects PE executable files. The worm has 3 components: a prepending code at the start of the file, a dll library file and sys driver file at the end of the file.

The prepending code decrypts the code of the other two components, drops the "linkinfo.dll" file in the %windir% directory, calls one of its exports to start the infection and continues execution of the original PE file.

The "linkinfo.dll" file intercepts calls to the clean "linkinfo.dll" file located in the %system% directory and calls the requested functions from the original dll.  It the injects in the "explorer.exe" process and starts several threads to infect PE files with ".exe" or ".tmp" extension on local drives and network shares.

The worm drops two sys files with driver functionality: "%system%\drivers\IsDrv122.sys", which is loaded in the memory as a driver and "%system%\drivers\cdralw.sys" which is registered as a system service. These two files are the rootkit component of the virus, having the role to hide the other components of the Win32.Almanahe.D.

The virus infects PE files with ".exe" or ".tmp" extensions from local drives and network shares.

It avoids infecting files located in directories that contain the following strings:

LOCAL SETTINGS\TEMP\
\WINDOWS\
\WINNT\
\QQ

and with the following names:

"zhengtu.exe"
"audition.exe"
"kartrider.exe"
"nmservice.exe"
"ca.exe"
"nmcosrv.exe"
"nsstarter.exe"
"maplestory.exe"
"neuz.exe"
"zfs.exe"
"gc.exe"
"mts.exe"
"hs.exe"
"mhclient-connect.exe"
"dragonraja.exe"
"nbt-dragonraja2006.exe"
"wb-service.exe"
"game.exe"
"xlqy2.exe"
"sealspeed.exe"
"asktao.exe"
"dbfsupdate.exe"
"autoupdate.exe"
"dk2.exe"
"main.exe"
"userpic.exe"
"zuonline.exe"
"config.exe"
"mjonline.exe"
"patcher.exe"
"meteor.exe"
"cabalmain.exe"
"cabalmain9x.exe"
"cabal.exe"
"au_unins_web.exe"
"xy2.exe"
"flyff.exe"
"xy2player.exe"
"trojankiller.exe"
"patchupdate.exe"
"ztconfig.exe"
"woool.exe"
"wooolcfg.exe"
"wow.exe"
"repair.exe"
"launcher.exe"

It tries to install itself as a network service and copy itself as "c:\setup.exe" on network computers, which are accessed with the Administrator account and the following weak passwords:

"[blank]
"admin"
"1"
"111"
"123"
"aaa"
"12345"
"123456789"
"654321"
"!@#$"
"asdf"
"asdfgh"
"!@#$%"
"!@#$%^"
"!@#$%^&"
"!@#$%^&*"
"!@#$%^&*("
"!@#$%^&*()"
"qwer"
"admin123"
"love"
"test123"
"owner"
"mypass123"
"root"
"letmein"
"qwerty"
"abc123"
"password"
"monkey"
"password1"

It also terminates processes with the following names and deletes the associated files:

"sxs.exe"
"lying.exe"
"logo1_.exe"
"logo_1.exe"
"fuckjacks.exe"
"spoclsv.exe"
"nvscv32.exe"
"svch0st.exe"
"c0nime.exe"
"iexpl0re.exe"
"ssopure.exe"
"upxdnd.exe"
"wdfmgr32.exe"
"spo0lsv.exe"
"ncscv32.exe"
"iexplore.exe"
"iexpl0re.exe"
"ctmontv.exe"
"explorer.exe"
"internat.exe"
"lsass.exe"
"smss.exe"
"svhost32.exe"
"rundl132.exe"
"msvce32.exe"
"rpcs.exe"
"sysbmw.exe"
"tempicon.exe"
"sysload3.exe"
"run1132.exe"
"msdccrt.exe"
"wsvbs.exe"
"cmdbcs.exe"
"realschd.exe"

but not those located in directories like:

\program files\
\system\
\com\
\winnt\
\windows\

The virus also has de ability to send data and download additional files from the url:
[hide]s.rm510.com:53