Content

W32/Almanahe.a

Type
Virus
SubType
Win32
Discovery Date
04/16/2007
Length
Varies
Minimum DAT
5010 (04/16/2007)
Updated DAT
5041 (05/29/2007)
Minimum Engine
5.1.00
Description Added
04/16/2007
Description Modified
04/17/2007 4:44 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

W32/Almanahe.a is a polymorphic parasitic worm that infects Win32 executable files (*.exe) that can also download and execute additional malware.

Upon execution, it drops the following file(s):

(Where %Windir% is the Windows folder; e.g. C:\Windows. A legitimate copy of linkinfo.dll usually resides in %Windir%\system32\linkinfo.dll)

These files are hidden by the rootkit component (W32/Almanahe.sys). It follows that the .DLL file is injected into the running process of Windows Explorer (Explorer.exe) and the .SYS file is installed as a service and creating the following registry key(s):

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RioDrvs\"ImagePath" = "system32\DRIVERS\RioDrvs.sys"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RioDrvs\"DisplayName" = "RioDrvs Usb Driver"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\RioDrvs\"ImagePath" = "system32\DRIVERS\RioDrvs.sys"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\RioDrvs\"DisplayName" = "RioDrvs Usb Driver"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RIODRVS\0000\Control\"ActiveService" = "RioDrvs"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RIODRVS\0000\"Service" = "RioDrvs"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Enum\Root\LEGACY_RIODRVS\0000\Control\"ActiveService" = "RioDrvs"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Enum\Root\LEGACY_RIODRVS\0000\"Service" = "RioDrvs"

It may spawn a hidden Internet Explorer (IExplorer.exe) process to facilitate internet communication in an attempt to bypass desktop firewalls.

It can contact the following site(s) to notify owner, receive instructions and download further malware:

  • pic.imrw0rldwide.com
  • soft.imrw0rldwide.com
  • tj.imrw0rldwide.com

It also attempts to access network shares using the following passwords as "Administrator" user:

  • zxcv
  • qazwsx
  • qaz
  • qwer
  • !@#$%^&*()
  • !@#$%^&*(
  • !@#$%^&*
  • !@#$%^&
  • !@#$%^
  • !@#$%
  • asdfgh
  • asdf
  • !@#$
  • 654321
  • 123456
  • 12345
  • 1234
  • 123
  • 1111
  • admin

The virus contains a list of hardcoded of filename(s) that are excluded from infection:

  • wooolcfg.exe
  • woool.exe
  • ztconfig.exe
  • patchupdate.exe
  • trojankiller.exe
  • xy2player.exe
  • flyff.exe
  • xy2.exe
  • .exe
  • au_unins_web.exe
  • cabal.exe
  • cabalmain9x.exe
  • cabalmain.exe
  • meteor.exe
  • patcher.exe
  • mjonline.exe
  • config.exe
  • zuonline.exe
  • userpic.exe
  • main.exe
  • dk2.exe
  • autoupdate.exe
  • dbfsupdate.exe
  • asktao.exe
  • sealspeed.exe
  • xlqy2.exe
  • game.exe
  • wb-service.exe
  • nbt-dragonraja2006.exe
  • dragonraja.exe
  • mhclient-connect.exe
  • hs.exe
  • mts.exe
  • gc.exe
  • zfs.exe
  • neuz.exe
  • maplestory.exe
  • nsstarter.exe
  • nmcosrv.exe
  • ca.exe
  • nmservice.exe
  • kartrider.exe
  • audition.exe
  • zhengtu.exe

 

Symptoms

  • Presence of the files and registry keys mentioned.
  • Increase in file size in existing executable files.
  • Unexpected network connections to the mentioned site(s).
  • Unexpected access to network shared folders.

 

Method of Infection

W32/Almanahe.a is a parasitic worm that propagates by infecting Win32 executable files (*.exe) on local drives and network shares.

Removal

VirusScan Users

Use the latest engine and DAT files for detection.

Due to the nature in which this virus operates once a machine is successfully infected, read-access to the DLL and SYS components of the virus may be denied.

VirusScan 11.x and VirusScan Enterprise 8.5 or newer can detect and remove these rootkit-protected components directly.

Older versions of VirusScan will not be able to detect these files in this case. Because of this, if a machine is suspected to be infected, users can follow the procedure below:

  1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
  2. Run a system scan using the specified engine/DATs.
  3. Clean files flagged as infected
  4. Restart machine in default mode.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

 

Variants

Variants

    N/A

All Information

Overview -

W32/Almanahe.a is a parasitic worm that infects Win32 executable files (*.exe) that can also download and execute additional malware.

 

Aliases

  • pe_corelink.a (TrendMicro)
  • w32.almanahe.b!inf (Symantec)
  • w32/alman-a (Sophos)

Characteristics

Characteristics -

W32/Almanahe.a is a polymorphic parasitic worm that infects Win32 executable files (*.exe) that can also download and execute additional malware.

Upon execution, it drops the following file(s):

(Where %Windir% is the Windows folder; e.g. C:\Windows. A legitimate copy of linkinfo.dll usually resides in %Windir%\system32\linkinfo.dll)

These files are hidden by the rootkit component (W32/Almanahe.sys). It follows that the .DLL file is injected into the running process of Windows Explorer (Explorer.exe) and the .SYS file is installed as a service and creating the following registry key(s):

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RioDrvs\"ImagePath" = "system32\DRIVERS\RioDrvs.sys"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RioDrvs\"DisplayName" = "RioDrvs Usb Driver"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\RioDrvs\"ImagePath" = "system32\DRIVERS\RioDrvs.sys"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\RioDrvs\"DisplayName" = "RioDrvs Usb Driver"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RIODRVS\0000\Control\"ActiveService" = "RioDrvs"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RIODRVS\0000\"Service" = "RioDrvs"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Enum\Root\LEGACY_RIODRVS\0000\Control\"ActiveService" = "RioDrvs"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Enum\Root\LEGACY_RIODRVS\0000\"Service" = "RioDrvs"

It may spawn a hidden Internet Explorer (IExplorer.exe) process to facilitate internet communication in an attempt to bypass desktop firewalls.

It can contact the following site(s) to notify owner, receive instructions and download further malware:

  • pic.imrw0rldwide.com
  • soft.imrw0rldwide.com
  • tj.imrw0rldwide.com

It also attempts to access network shares using the following passwords as "Administrator" user:

  • zxcv
  • qazwsx
  • qaz
  • qwer
  • !@#$%^&*()
  • !@#$%^&*(
  • !@#$%^&*
  • !@#$%^&
  • !@#$%^
  • !@#$%
  • asdfgh
  • asdf
  • !@#$
  • 654321
  • 123456
  • 12345
  • 1234
  • 123
  • 1111
  • admin

The virus contains a list of hardcoded of filename(s) that are excluded from infection:

  • wooolcfg.exe
  • woool.exe
  • ztconfig.exe
  • patchupdate.exe
  • trojankiller.exe
  • xy2player.exe
  • flyff.exe
  • xy2.exe
  • .exe
  • au_unins_web.exe
  • cabal.exe
  • cabalmain9x.exe
  • cabalmain.exe
  • meteor.exe
  • patcher.exe
  • mjonline.exe
  • config.exe
  • zuonline.exe
  • userpic.exe
  • main.exe
  • dk2.exe
  • autoupdate.exe
  • dbfsupdate.exe
  • asktao.exe
  • sealspeed.exe
  • xlqy2.exe
  • game.exe
  • wb-service.exe
  • nbt-dragonraja2006.exe
  • dragonraja.exe
  • mhclient-connect.exe
  • hs.exe
  • mts.exe
  • gc.exe
  • zfs.exe
  • neuz.exe
  • maplestory.exe
  • nsstarter.exe
  • nmcosrv.exe
  • ca.exe
  • nmservice.exe
  • kartrider.exe
  • audition.exe
  • zhengtu.exe

 

Symptoms

Symptoms -

  • Presence of the files and registry keys mentioned.
  • Increase in file size in existing executable files.
  • Unexpected network connections to the mentioned site(s).
  • Unexpected access to network shared folders.

 

Method of Infection

Method of Infection -

W32/Almanahe.a is a parasitic worm that propagates by infecting Win32 executable files (*.exe) on local drives and network shares.

Removal -

Removal -

VirusScan Users

Use the latest engine and DAT files for detection.

Due to the nature in which this virus operates once a machine is successfully infected, read-access to the DLL and SYS components of the virus may be denied.

VirusScan 11.x and VirusScan Enterprise 8.5 or newer can detect and remove these rootkit-protected components directly.

Older versions of VirusScan will not be able to detect these files in this case. Because of this, if a machine is suspected to be infected, users can follow the procedure below:

  1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
  2. Run a system scan using the specified engine/DATs.
  3. Clean files flagged as infected
  4. Restart machine in default mode.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

 

Variants

Variants -

    N/A