Professional Documents
Culture Documents
Win32/Alman: Home Threat Encyclopaedia Glossary Statistics Update Info Tools Reports Threat Radar Report, February 2014
Win32/Alman: Home Threat Encyclopaedia Glossary Statistics Update Info Tools Reports Threat Radar Report, February 2014
Home Threat Encyclopaedia Glossary Statistics Update Info Tools Reports Search
Category virus
Detection created Jun 05, 2007
Detection database version 10425
Aliases Virus.Win32.Alman.b (Kaspersky)
W32.Almanahe.B!inf (Symantec)
Virus:Win32/Almanahe.B (Microsoft)
Win32.Alman.1 (Dr.Web)
Short description
Win32/Alman.NAB is a polymorphic file infector. It uses techniques common for rootkits.
Installation
When executed, the virus creates the following files:
more info
The library linkinfo.dll is loaded and injected into the following process:
explorer.exe
%windir%\AppPatch\AcPlugin.dll
%windir%\AppPatch\AcPlugin.dll.new
%temp%\%variable%
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdralw]
"ErrorControl" = 0
"Start" = 2
more info
[HKEY_LOCAL_MACHINE\Software\Google]
"Version" = "%variable%"
"%number%" = "%variable%"
File infection
Win32/Alman.NAB is a polymorphic file infector.
The virus searches local and network drives for files with one of the following extensions:
.exe
Executables are infected by appending the code of the virus to the last section.
The host file is modified in a way that causes the virus to be executed prior to running the original code.
http://www.virusradar.com/en/Win32_Alman.NAB/description 1/2
12/25/2017 Win32/Alman.NAB | ESET Virusradar
It avoids files which contain any of the following strings in their path:
QQ
WINNT
WINDOWS
more info
zhengtu.exe
audition.exe
kartrider.exe
more info
It tries to copy itself into the root folder of the C:\ drive on a remote machine using the following name:
setup.exe
Administrator
(empty password)
admin
1
more info
Information stealing
The following information is collected:
more info
The virus contains a list of URLs. The HTTP protocol is used in the communication.
Other information
The virus can download and execute a file from the Internet.
%temp%\%variable%
%windir%\AppPatch\AcPlugin.dll
%system%\drivers\RsBoot.sys
The virus terminates processes with any of the following strings in the path:
sxs.exe
lying.exe
logo1_.exe
more info
more info
http://www.virusradar.com/en/Win32_Alman.NAB/description 2/2