Content

W32/Alvabrig.a!inf

Type
Virus
SubType
Win32
Discovery Date
10/15/2007
Length
Minimum DAT
5141 (10/15/2007)
Updated DAT
5193 (12/26/2007)
Minimum Engine
5.1.00
Description Added
10/15/2007
Description Modified
10/16/2007 1:22 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

The main infector is generally named "svchost.exe" and is ~10KB in length.

File Changes

  • Infects
    • %sysdir%\ws2_32.dll
    • %sysdir%\wininet.dll
    • %sysdir%\dllcache\ws2_32.dll
    • %sysdir%\dllcache\wininet.dll (adds the infected copy to dllcache folder, if not already present)
  • Creates
    • %Temp%\me.log : This binary is responsible for disabling Windows file protection temporarily. It injects a thread in winlogon and closes relevant locking handles.
    • %sysdir%\oldwn.tmp, %sysdir%\winrc.tmp  (Backup copy of original wininet.dll)
    • %sysdir%\oldws.tmp, %sysdir%\wsrec.tmp (Backup copy of original ws2_32.dll)

Blocks access to the following URLs by hooking InternetConnectA Api in the export table of wininet.dll.

  • avp.com
  • kaspersky
  • eset.com
  • nod32.com
  • eset.casablanca.cz
  • casablanca.cz
  • symantec.com
  • norton.com
  • mcafee.com
  • metalhead2005.info
  • my-etrust.com
  • nai.com
  • pla-update.nai.com
  • networkassociates.com
  • secure.nai.com
  • sophos.com
  • trendmicro.com
  • viruslist.com
  • www.ca.com
  • microsoft.com
  • my-etrust.com
  • networkassociates.com
  • sophos.com
  • trendmicro.com
  • viruslist.com
  • d66.myleftnut.info
  • f-secure.com

Additionally it hooks Connect function in Ws2_32.dll , which works as a make shift firewall and denies access to the following IP.

  • 216.143.70.75 - Incidentally this IP belongs to McAfee update site.

Symptoms

  • Presence of aforementioned files on the disk
  • Network access denied on the aforementioned sites and IP

 

Method of Infection

This virus is observed to be downloaded via malicious webpage serving exploits. This is also observed to accompany Generic Rootkit.A

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

W32/Alvabrig is a virus that is observed to be accompanied with some password stealer trojans and Generic Rootkit.A. It's main function is to deny network access to various security related websites. In order to achieve that it infects system files ws2_32.dll and wininet.dll after disabling Windows file protection.

Characteristics

Characteristics -

The main infector is generally named "svchost.exe" and is ~10KB in length.

File Changes

  • Infects
    • %sysdir%\ws2_32.dll
    • %sysdir%\wininet.dll
    • %sysdir%\dllcache\ws2_32.dll
    • %sysdir%\dllcache\wininet.dll (adds the infected copy to dllcache folder, if not already present)
  • Creates
    • %Temp%\me.log : This binary is responsible for disabling Windows file protection temporarily. It injects a thread in winlogon and closes relevant locking handles.
    • %sysdir%\oldwn.tmp, %sysdir%\winrc.tmp  (Backup copy of original wininet.dll)
    • %sysdir%\oldws.tmp, %sysdir%\wsrec.tmp (Backup copy of original ws2_32.dll)

Blocks access to the following URLs by hooking InternetConnectA Api in the export table of wininet.dll.

  • avp.com
  • kaspersky
  • eset.com
  • nod32.com
  • eset.casablanca.cz
  • casablanca.cz
  • symantec.com
  • norton.com
  • mcafee.com
  • metalhead2005.info
  • my-etrust.com
  • nai.com
  • pla-update.nai.com
  • networkassociates.com
  • secure.nai.com
  • sophos.com
  • trendmicro.com
  • viruslist.com
  • www.ca.com
  • microsoft.com
  • my-etrust.com
  • networkassociates.com
  • sophos.com
  • trendmicro.com
  • viruslist.com
  • d66.myleftnut.info
  • f-secure.com

Additionally it hooks Connect function in Ws2_32.dll , which works as a make shift firewall and denies access to the following IP.

  • 216.143.70.75 - Incidentally this IP belongs to McAfee update site.

Symptoms

Symptoms -

  • Presence of aforementioned files on the disk
  • Network access denied on the aforementioned sites and IP

 

Method of Infection

Method of Infection -

This virus is observed to be downloaded via malicious webpage serving exploits. This is also observed to accompany Generic Rootkit.A

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A