Win32.Alman.

B Submission Summary:

Submission details: o Submission received: 9 April 2009, 19:38:14 o Processing time: 5 min 42 sec o Submitted sample: File MD5: 0x144D9F896C977B5E78234E07A29C2C76 File SHA-1: 0xC4FF9731D517566874CDA045EFC4A421D476F820 Filesize: 221,696 bytes Alias: Win32.Alman.B [PCTools] W32.Almanahe.B!inf [Symantec] Virus.Win32.Alman.b [Kaspersky Lab] W32/Almanahe.c [McAfee] PE_CORELINK.C-1 [Trend Micro] W32/Alman-C [Sophos] Virus:Win32/Almanahe.B [Microsoft] Virus.Win32.Agent.SWR [Ikarus] Win32/Alman.C [AhnLab] Summary of the findings: Severity Level

What's been found Replication across networks by exploiting weakly restricted shares (common for Randex family of worms). Downloads/requests other files from Internet. Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system: Description Trojan.Almanahe may be installed on a system when users unknowingly visit malicious websites. It uses rootkit technology to

Security Risk Trojan.Almanahe

evade scanners and contacts a remote server where it downloads and installs an updated copy of itself. Attention! The following threat categories were identified: Description A network-aware worm that attempts to replicate across the existing network(s) A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body

Threat Category

A hacktool that could be used by attackers to break into a system

File System Modifications

The following files were created in the system: File File Hash Size Alias

# Filename(s)

%Windir %\linkinfo.dll

Trojan.Almanahe [PCTools] W32.Almanahe.B!inf [Symantec] Virus.Win32.Agent.b u [Kaspersky Lab] W32/Almanahe.dll [McAfee] MD5: PE_CORELINK.C-O 53,2 0x08B1547672A359972E7038834 [Trend Micro] 48 AB18C9F W32/Alman-E byte SHA-1: [Sophos] s 0xBAAD24272B5B13DC105112A Trojan:Win32/Alman EC20451508B86183F ahe.B.dll [Microsoft] TrojanDropper.Agent [Ikarus] WinTrojan/Agent.53248. GU [AhnLab] 15,8 MD5: Trojan.Almanahe

2 %System

%\drivers\cdralw.s ys

[PCTools] Hacktool.Rootkit [Symantec] Virus.Win32.Alman. b [Kaspersky Lab] W32/Almanahe.sys.g 0xAA20CCA9BF2BF1EB5AE2F6 en [McAfee] 72 7E5454F77E Troj/Rootkit-BZ byte SHA-1: [Sophos] s 0x555F608173908987D6F48390E VirTool:WinNT/Alm 4619C0261EE1849 anahe.gen!A [Microsoft] Virus.Win32.Alman [Ikarus] WinTrojan/Rootkit.15872 .C [AhnLab] Win32.Alman.B [PCTools] W32.Almanahe.B!inf [Symantec] Virus.Win32.Alman. b [Kaspersky Lab] MD5: W32/Almanahe.c 221, 0x144D9F896C977B5E78234E07 [McAfee] 696 A29C2C76 PE_CORELINK.C-1 byte SHA-1: [Trend Micro] s 0xC4FF9731D517566874CDA045 W32/Alman-C EFC4A421D476F820 [Sophos] Virus:Win32/Almana he.B [Microsoft] Virus.Win32.Agent.S WR [Ikarus] Win32/Alman.C [AhnLab]

[file and pathname of the sample #1]

Notes:
o o

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt. %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following file was deleted: o %System%\linkinfo.dll

Memory Modifications

There was a new process created in the system:

Process Name

Process Filename

Main Module Size

[filename of the sample #1] [file and pathname of the sample #1] 331,776 bytes The following modules were loaded into the address space of other process(es): Module Name linkinfo.dll Module Filename Address Space Details Process name: [filename of the sample #1] Process filename: [file and pathname of the sample #1] Address space: 0x890000 - 0x89D000 Process name: [filename of the sample #1] Process filename: [file and pathname of the sample #1] Address space: 0x76980000 - 0x76988000

%Windir%\linkinfo.dll

linkinfo.dll

%System%\linkinfo.dll

Registry Modifications

The following Registry Keys were created: o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGA CY_CDRALW o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGA CY_CDRALW\0000 o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGA CY_CDRALW\0000\Control o HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\L EGACY_CDRALW o HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\L EGACY_CDRALW\0000 o HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\L EGACY_CDRALW\0000\Control o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cdralw o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cdralw\S ecurity The newly created Registry Values are: o [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEG ACY_CDRALW\0000\Control] *NewlyCreated* = 0x00000000 ActiveService = "cdralw" o [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEG ACY_CDRALW\0000] Service = "cdralw" Legacy = 0x00000001 ConfigFlags = 0x00000000 Class = "LegacyDriver" ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"

DeviceDesc = "cdralw" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEG ACY_CDRALW] NextInstance = 0x00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\L EGACY_CDRALW\0000\Control] *NewlyCreated* = 0x00000000 ActiveService = "cdralw" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\L EGACY_CDRALW\0000] Service = "cdralw" Legacy = 0x00000001 ConfigFlags = 0x00000000 Class = "LegacyDriver" ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}" DeviceDesc = "cdralw" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\L EGACY_CDRALW] NextInstance = 0x00000001 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cdralw\S ecurity] Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cdralw] Type = 0x00000001 Start = 0x00000002 ErrorControl = 0x00000000 ImagePath = "%System%\Drivers\nvmini.sys" DisplayName = "NVIDIA Compatible Windows Miniport Driver" Tag = 0x00000007 Group = "Pointer Port"

Other details The following Host Name was requested from a host database: o ys

The following Internet Connection was established:

Server Name Server Port Connect as User Connection Password .host

80 .host .host Heuristically identified capability of spreading across the following weakly restricted network shares:

The network replication uses a dictionary attack by probing credentials from the following list: