Content

W32/Almanahe.c

Type
Virus
SubType
Win32
Discovery Date
06/03/2007
Length
Varies
Minimum DAT
5046 (06/05/2007)
Updated DAT
6380 (06/17/2011)
Minimum Engine
5.1.00
Description Added
06/03/2007
Description Modified
06/03/2007 10:23 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

W32/Almanahe.c is a polymorphic parasitic worm that infects Win32 executable files (*.exe) that can also download and execute additional malware.

Upon execution, it drops the following file(s):

  • %Windir%\linkinfo.dll (W32/Almanahe.dll)
  • %Windir%\System32\drivers\nvmini.sys (W32/Almanahe.sys)
  • %Windir%\System32\drivers\IsDrv118.sys (W32/Almanahe.sys)
  • C:\boot.exe (W32/Almanahe)

(Where %Windir% is the Windows folder; e.g. C:\Windows. A legitimate copy of linkinfo.dll usually resides in %Windir%\system32\linkinfo.dll)

These files are hidden by the rootkit component (W32/Almanahe.sys). It follows that the .DLL file is injected into the running process of Windows Explorer (Explorer.exe) and the .SYS file is installed as a service and creating the following registry key(s):

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RioDrvs\"ImagePath" = "system32\drivers\nvmini.sys"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RioDrvs\"DisplayName" = "nvmini"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\RioDrvs\"ImagePath" = "system32\drivers\nvmini.sys"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\RioDrvs\"DisplayName" = "nvmini"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RIODRVS\0000\Control\"ActiveService" = "nvmini"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RIODRVS\0000\"Service" = "nvmini"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Enum\Root\LEGACY_RIODRVS\0000\Control\"ActiveService" = "nvmini"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Enum\Root\LEGACY_RIODRVS\0000\"Service" = "nvmini"

It can contact the following site(s) to notify malware owner, receive instructions and download further malware:

  • kr.sb941.com
  • k.sb941.com
  • info.sb941.com
  • down.91tg.net

Other generic characteristics of the W32/Almanahe virus at:

 

Symptoms

  • Presence of the files and registry keys mentioned.
  • Increase in file size in existing executable files.
  • Unexpected network connections to the mentioned site(s).
  • Unexpected access to network shared folders.

Method of Infection

W32/Almanahe.c is a polymorphic parasitic worm that propagates by infecting Win32 executable files (*.exe) on local, removable drives and network shares.

 

Removal

VirusScan Users

Use the latest engine and DAT files for detection.

Due to the nature in which this virus operates once a machine is successfully infected, read-access to the DLL and SYS components of the virus may be denied.

VirusScan 11.x and VirusScan Enterprise 8.5 or newer can detect and remove these rootkit-protected components directly.

Older versions of VirusScan will not be able to detect these files in this case. Because of this, if a machine is suspected to be infected, users can follow the procedure below:

  1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
  2. Run a system scan using the specified engine/DATs.
  3. Clean files flagged as infected
  4. Restart machine in default mode.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

 

Variants

Variants

  • W32/Almanahe.a
  • W32/Almanahe.b

All Information

Overview -

W32/Almanahe.c is a polymorphic parasitic worm that infects Win32 executable files (*.exe) that can also download and execute additional malware.

Characteristics

Characteristics -

W32/Almanahe.c is a polymorphic parasitic worm that infects Win32 executable files (*.exe) that can also download and execute additional malware.

Upon execution, it drops the following file(s):

  • %Windir%\linkinfo.dll (W32/Almanahe.dll)
  • %Windir%\System32\drivers\nvmini.sys (W32/Almanahe.sys)
  • %Windir%\System32\drivers\IsDrv118.sys (W32/Almanahe.sys)
  • C:\boot.exe (W32/Almanahe)

(Where %Windir% is the Windows folder; e.g. C:\Windows. A legitimate copy of linkinfo.dll usually resides in %Windir%\system32\linkinfo.dll)

These files are hidden by the rootkit component (W32/Almanahe.sys). It follows that the .DLL file is injected into the running process of Windows Explorer (Explorer.exe) and the .SYS file is installed as a service and creating the following registry key(s):

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RioDrvs\"ImagePath" = "system32\drivers\nvmini.sys"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RioDrvs\"DisplayName" = "nvmini"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\RioDrvs\"ImagePath" = "system32\drivers\nvmini.sys"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\RioDrvs\"DisplayName" = "nvmini"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RIODRVS\0000\Control\"ActiveService" = "nvmini"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RIODRVS\0000\"Service" = "nvmini"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Enum\Root\LEGACY_RIODRVS\0000\Control\"ActiveService" = "nvmini"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Enum\Root\LEGACY_RIODRVS\0000\"Service" = "nvmini"

It can contact the following site(s) to notify malware owner, receive instructions and download further malware:

  • kr.sb941.com
  • k.sb941.com
  • info.sb941.com
  • down.91tg.net

Other generic characteristics of the W32/Almanahe virus at:

 

Symptoms

Symptoms -

  • Presence of the files and registry keys mentioned.
  • Increase in file size in existing executable files.
  • Unexpected network connections to the mentioned site(s).
  • Unexpected access to network shared folders.

Method of Infection

Method of Infection -

W32/Almanahe.c is a polymorphic parasitic worm that propagates by infecting Win32 executable files (*.exe) on local, removable drives and network shares.

 

Removal -

Removal -

VirusScan Users

Use the latest engine and DAT files for detection.

Due to the nature in which this virus operates once a machine is successfully infected, read-access to the DLL and SYS components of the virus may be denied.

VirusScan 11.x and VirusScan Enterprise 8.5 or newer can detect and remove these rootkit-protected components directly.

Older versions of VirusScan will not be able to detect these files in this case. Because of this, if a machine is suspected to be infected, users can follow the procedure below:

  1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
  2. Run a system scan using the specified engine/DATs.
  3. Clean files flagged as infected
  4. Restart machine in default mode.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

 

Variants

Variants -

  • W32/Almanahe.a
  • W32/Almanahe.b