Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Win32.Alman

(Win32.Almanahe.B, TROJ_CORELINK.D, Win32/Alman, W32/Almanahe, W32/Almanahe.B, Trojan-Dropper.Win32.Small.axz, Backdoor:Win32/Afcore, Win32/Afcore, Generic.AFCore.5A56A01D, TROJ_AGENT.THK, BackDoor.Afcore.2.AK, Win32/Fanop, Virus.Win32.Kaos, Backdoor.Win32.Afcore.bt, Backdoor.Win32.Afcore.ck, Backdoor.Win32.Afcore.cd, W32/Rectix.A.DLL, Gen:Trojan.Heur.50708F9A8A, BackDoor.Afcore.2.AH, Generic.DZD, W32/Almanahe!dldr)

Virus description added:

Virus type: File virus

Size:

Affected OS: Win NT-based

Packed by: -

Technical information

  • While starting up this virus opens the following files: %windir%\linkinfo.dll, %systemroot%\system32\drivers\nvmini.sys and temporary file %systemroot%\system32\drivers\IsDrv118.sys.
  • Chases connection of new removeable drives and while connecting them, it creates files on them boot.exe and autorun.inf.
  • This virus veils its occurence in infected system by hiding its specific files:

    nvmini.sys
    linkinfo.dll
    autorun.inf
    boot.exe

    and also registry branches which contain substring "nvmini".

  • Blocks driver's work (antirootkits and network filters):

    ISPUBDRV
    ISDRV1
    RKREVEAL
    PROCEXP
    SAFEMON
    RKHDRV10
    NPF
    IRIS
    NPPTNT
    DUMP_WMIMMC
    SPLITTER
    EAGLENT

  • Analises import tables and blocks drivers which are working with KeServiceDescriptorTable.

  • Blocks working of the following libraries:

    DLLWM.DLL
    DLLHOSTS.DLL
    NOTEPAD.DLL
    RPCS.DLL
    RDIHOST.DLL
    RDFHOST.DLL
    RDSHOST.DLL
    LGSYM.DLL
    RUND11.DLL
    MDDDSCCRT.DLL
    WSVBS.DLL
    CMDBCS.DLL
    RICHDLL.DLL
    WININFO.RXK
    WINDHCP.DLL
    UPXDHND.DLL

  • Injects its own library into Explorer.exe
  • Waits for its updates in file %windir%\AppPatch\AcLue.dll
  • Infects files on all disks, except system files which are protected with SFC or which are located in the following subfolders:

    \QQ
    \WINNT\
    \WINDOWS\
    LOCAL SETTINGS\TEMP\

  • Does not infect files from this list:

    zhengtu.exe
    audition.exe
    kartrider.exe
    nmservice.exe
    ca.exe
    nmcosrv.exe
    nsstarter.exe
    maplestory.exe
    neuz.exe
    zfs.exe
    gc.exe
    mts.exe
    hs.exe
    mhclient-connect.exe
    dragonraja.exe
    nbt-dragonraja2006.exe
    wb-service.exe
    game.exe
    xlqy2.exe
    sealspeed.exe
    asktao.exe
    dbfsupdate.exe
    autoupdate.exe
    dk2.exe
    main.exe
    userpic.exe
    zuonline.exe
    config.exe
    mjonline.exe
    patcher.exe
    meteor.exe
    cabalmain.exe
    cabalmain9x.exe
    cabal.exe
    au_unins_web.exe
    xy2.exe
    flyff.exe
    xy2player.exe
    trojankiller.exe
    patchupdate.exe
    ztconfig.exe
    woool.exe
    wooolcfg.exe

  • Finishes the process of other malware:

    sxs.exe
    lying.exe
    logo1_.exe
    logo_1.exe
    fuckjacks.exe
    spoclsv.exe
    nvscv32.exe
    svch0st.exe
    c0nime.exe
    iexpl0re.exe
    ssopure.exe
    upxdnd.exe
    wdfmgr32.exe
    spo0lsv.exe
    ncscv32.exe
    iexplore.exe
    iexpl0re.exe
    ctmontv.exe
    explorer.exe
    internat.exe
    lsass.exe
    smss.exe
    svhost32.exe
    rundl132.exe
    msvce32.exe
    rpcs.exe
    sysbmw.exe
    tempicon.exe
    sysload3.exe
    run1132.exe
    msdccrt.exe
    wsvbs.exe
    cmdbcs.exe
    realschd.exe

  • Attempts to distribute itself through local network, connecting as Administrator, while using the following passwords:

    ""
    "admin"
    "1"
    "111"
    "123"
    "aaa"
    "12345"
    "123456789"
    "654321"
    "!@#$"
    "asdf"
    "asdfgh"
    "!@#$%"
    "!@#$%^"
    "!@#$%^&"
    "!@#$%^&*"
    "!@#$%^&*("
    "!@#$%^&*()"
    "qwer"
    "admin123"
    "love"
    "test123"
    "owner"
    "mypass123"
    "root"
    "letmein"
    "qwerty"
    "abc123"
    "password"
    "monkey"
    "password1"

    In case of success this virus creates file setup.exe in root folder of disk C and downloads it from the distance.

  • Attempts to copy other malicious programs with browser by default, e.g.:
    Trojan.PWS.Gamania.4375,Trojan.PWS.Wow.632, Trojan.PWS.Legmir.1949
  • System recovery information

    1. Disconnect infected computer from local network and/or from Internet and turn off System Recovery service.
    2. Download free cure utility Dr.Web CureIt! from uninfected computer. Then copy it to external medium.
    3. Restart infected computer in Safe Mode (F8 at Windows startup) and scan infected computer with >Dr.Web CureIt!. Apply "Cure" to all detected objects.

The Russian developer of Dr.Web anti-viruses
Doctor Web has been developing anti-virus software since 1992
Dr.Web is trusted by users around the world in 200+ countries
The company has delivered an anti-virus as a service since 2007
24/7 tech support

Dr.Web © Doctor Web
2003 — 2021

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125124