Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically


Installation
When executed the virus drops in folder %windir% the following file:

linkinfo.dll (53248 B)

The following files are dropped into the %system%\drivers folder:

cdralw.sys (15872 B)

IsDrv122.sys (15872 B)

The following Registry entries are set:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%variable%]
"DisplayName" = "NVIDIA Compatible Windows Miniport Driver"
"ImagePath" = "%system%\drivers\%variable%.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_%variable%]
"NextInstance" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_%variable%\0000]
"Service" = "%variable%"
"Legacy" = 1
"ConfigFlags" = 0
"Class" = "LegacyDriver"
"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc" = "%variable%"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_%variable%\0000\Control]
"NewlyCreated" = 0
"ActiveService" = "%variable%"

 

The %variable% is one of the following strings:

nvmini

cdralw


Executable files infection
Win32/Alman.NAD is a polymorphic file infector. The virus infects executable files. The virus searches local drives for files with the following file extension:

.exe

It avoids files which contain any of the following strings in their path:

LOCAL SETTINGS\TEMP\

\QQ

\WINDOWS\

\WINNT\

It avoids files with the following filenames:

asktao.exe
au_unins_web.exe
audition.exe
autoupdate.exe
ca.exe
cabal.exe
cabalmain.exe
cabalmain9x.exe
config.exe
dbfsupdate.exe
dk2.exe
dragonraja.exe
flyff.exe
game.exe
gc.exe
hs.exe
kartrider.exe
main.exe
maplestory.exe
meteor.exe
mhclient-connect.exe
mjonline.exe
mts.exe
nbt-dragonraja2006.exe
neuz.exe
nmcosrv.exe
nmservice.exe
nsstarter.exe
patcher.exe
patchupdate.exe
sealspeed.exe
trojankiller.exe
userpic.exe
wb-service.exe
woool.exe
wooolcfg.exe
xlqy2.exe
xy2.exe
xy2player.exe
zfs.exe
ztconfig.exe
zuonline.exe
launcher.exe
repair.exe
wow.exe
zhengtu.exe
/0xB4/0xF3/0xBB/0xB0/0xCE/0xF7/0xD3/0xCE/.exe

Executables are infected by appending the code of the virus to the last section. The host file is modified in a way that causes the virus to be executed prior to running the original code. Size of the code inserted is 36352 B.


Spreading via shared folders
The virus searches for network drives. It tries co copy itself into the root folder of the C:\ drive on a remote machine using the following filename:

setup.exe

The file is then remotely executed. The following usernames are used:

Administrator

The following passwords are used:

admin
1
111
123
aaa
12345
123456789
654321
!@#$
asdf
asdfgh
!@#$%
!@#$%^
!@#$%^&
!@#$%^&*
!@#$%^&*(
!@#$%^&*()
qwer
admin123
love
test123
owner
mypass123
root
letmein
qwerty
abc123
password
monkey
password1


Other information
The following programs are terminated:

c0nime.exe
cmdbcs.exe
ctmontv.exe
explorer.exe
fuckjacks.exe
iexpl0re.exe
iexpl0re.exe
iexplore.exe
internat.exe
logo_1.exe
logo1_.exe
lsass.exe
lying.exe
msdccrt.exe
msvce32.exe
ncscv32.exe
nvscv32.exe
realschd.exe
rpcs.exe
run1132.exe
rundl132.exe
smss.exe
spo0lsv.exe
spoclsv.exe
ssopure.exe
svhost32.exe
svch0st.exe
sxs.exe
sysbmw.exe
sysload3.exe
tempicon.exe
upxdnd.exe
wdfmgr32.exe
wsvbs.exe

Then the virus deletes these files.

The virus may set the following Registry entries:

[HKEY_LOCAL_MACHINE\Software\Google]

The virus may turn off the computer. The virus can download and execute a file from the Internet. The virus contains a URL address.