12/25/2017 Win32/Alman.

NAB | ESET Virusradar

Home Threat Encyclopaedia Glossary Statistics Update Info Tools Reports Search

Threat Radar Report, February 2014

HOME > Threat Encyclopaedia > Descriptions > Win32/Alman.NAB

Threat Timeline Prevalence Map Threat Variant

Win32/Alman [Threat Name] go to Threat

Win32/Alman.NAB [Threat Variant Name]

Category virus
Detection created Jun 05, 2007
Detection database version 10425
Aliases Virus.Win32.Alman.b (Kaspersky)
  W32.Almanahe.B!inf (Symantec)
  Virus:Win32/Almanahe.B (Microsoft)
  Win32.Alman.1 (Dr.Web)

Short description
Win32/Alman.NAB is a polymorphic file infector. It uses techniques common for rootkits.

Installation
When executed, the virus creates the following files:

%windir%\linkinfo.dll (53248 B, Win32/Alman.NAD)

%systemroot%\drivers\cdralw.sys (15872 B, Win32/Alman.NAD)
%systemroot%\drivers\IsDrv122.sys (15872 B, Win32/Alman.NAD)

more info

The library linkinfo.dll is loaded and injected into the following process:

explorer.exe

The virus may create the following files:

%windir%\AppPatch\AcPlugin.dll
%windir%\AppPatch\AcPlugin.dll.new
%temp%\%variable%

The following Registry entries are set:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdralw]
"ErrorControl" = 0

"Start" = 2

more info

The virus may set the following Registry entries:

[HKEY_LOCAL_MACHINE\Software\Google]
"Version" = "%variable%"

"%number%" = "%variable%"

A string with variable content is used instead of %number%, %variable% .

File infection
Win32/Alman.NAB is a polymorphic file infector.

The virus searches local and network drives for files with one of the following extensions:

.exe

Executables are infected by appending the code of the virus to the last section.

The host file is modified in a way that causes the virus to be executed prior to running the original code.

http://www.virusradar.com/en/Win32_Alman.NAB/description 1/2
12/25/2017 Win32/Alman.NAB | ESET Virusradar
It avoids files which contain any of the following strings in their path:

QQ
WINNT
WINDOWS

more info

Files with the following names are not infected:

zhengtu.exe
audition.exe
kartrider.exe

more info

Spreading via shared folders

The virus searches for computers in the local network.

It tries to copy itself into the root folder of the C:\ drive on a remote machine using the following name:

setup.exe

The file is then remotely executed.

The following usernames are used:

Administrator

The following passwords are used:

(empty password)
admin
1

more info

Information stealing
The following information is collected:

volume serial number

CPU information
operating system version

more info

The virus attempts to send gathered information to a remote machine.

The virus contains a list of URLs. The HTTP protocol is used in the communication.

Other information
The virus can download and execute a file from the Internet.

The file is stored in the following location:

%temp%\%variable%
%windir%\AppPatch\AcPlugin.dll

The virus can modify the following file:

%system%\drivers\RsBoot.sys

The virus disables various security related applications.

The virus terminates processes with any of the following strings in the path:

sxs.exe
lying.exe
logo1_.exe

more info

The virus hooks the following Windows APIs:

ZwLoadDriver (ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe)

ZwEnumerateKey (ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe)
ZwClose (ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe)

more info

Contact | Privacy | Legal Information | Sitemap

1992 - 2017 ESET, spol. s r.o. - All rights reserved. Trademarks used therein are trademarks or registered trademarks of ESET, spol. s r.o. or ESET North America. All other names
and brands are registered trademarks of their respective companies.

http://www.virusradar.com/en/Win32_Alman.NAB/description 2/2