Content
W32/Almanahe!dldr
- Type
- Trojan
- SubType
- Downloader
- Discovery Date
- 11/20/2007
- Length
- Minimum DAT
- N/A (05/07/2008)
- Updated DAT
- 5290 (05/07/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 11/20/2007
- Description Modified
- 11/20/2007 7:56 AM (PT)
Tab Navigation
Characteristics
When started, the malware will immediately drop its rootkit component in the drivers folder (please note that McAfee already detects such rootkit as W32/Almanahe.sys):
%%SYSTEM FOLDER%%\drivers\uuid.sys
and proceeds in loading it. As soon as the rootkit component has been loaded, W32/Almanahe!dldr will open the following registry key:
HKEY_CLASSES_ROOT\htmlfile\shell\open\command
and retrieve the value of the default registry value in order to find the application that can be later on used for downloading its payload. In fact, the next step for the malware is to spawn such program (on the machine used for analysis, Internet Explorer 6), and inject malicious code into it. Such injected malicious code will be performing the actual downloading.
W32/Almanahe!dldr will then transfer control to the injected code, and wait for it to download the additional payload. Such payload is stored in the temporary folder as update.exe (please note that this file is already detected by McAfee as W32/Almanahe.dr).
As soon as the download is completed, the malware will execute the file update.exe, then delete itself.
Symptoms
- unusual network activity during the payload download
- presence of the uuid.sys file in the drivers folder
Method of Infection
Executing the malware's executable will initiate the malicious behaviour.
Removal
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Variants
Variants
N/A
All Information
Overview -
W32/Almanahe!dldr is a downloader trojan related to the W32/Almanahe file infector family.
Characteristics
Characteristics -
When started, the malware will immediately drop its rootkit component in the drivers folder (please note that McAfee already detects such rootkit as W32/Almanahe.sys):
%%SYSTEM FOLDER%%\drivers\uuid.sys
and proceeds in loading it. As soon as the rootkit component has been loaded, W32/Almanahe!dldr will open the following registry key:
HKEY_CLASSES_ROOT\htmlfile\shell\open\command
and retrieve the value of the default registry value in order to find the application that can be later on used for downloading its payload. In fact, the next step for the malware is to spawn such program (on the machine used for analysis, Internet Explorer 6), and inject malicious code into it. Such injected malicious code will be performing the actual downloading.
W32/Almanahe!dldr will then transfer control to the injected code, and wait for it to download the additional payload. Such payload is stored in the temporary folder as update.exe (please note that this file is already detected by McAfee as W32/Almanahe.dr).
As soon as the download is completed, the malware will execute the file update.exe, then delete itself.
Symptoms
Symptoms -
- unusual network activity during the payload download
- presence of the uuid.sys file in the drivers folder
Method of Infection
Method of Infection -
Executing the malware's executable will initiate the malicious behaviour.
Removal -
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
