W32/Almanahe.c

Overview -

W32/Almanahe.a is a parasitic worm that infects Win32 executable files (*.exe) that can also download and execute additional malware.

Aliases

• pe_corelink.a (TrendMicro)

• w32.almanahe.b!inf (Symantec)

• w32/alman-a (Sophos)

Characteristics

It also attempts to access network shares using the following passwords as "Administrator" user:

• zxcv
• qazwsx
• qaz
• qwer
• !@#$%^&*()
• !@#$%^&*(
• !@#$%^&*
• !@#$%^&
• !@#$%^
• !@#$%
• asdfgh
• asdf
• !@#$
• 654321
• 123456
• 12345
• 1234
• 123
• 1111
• admin

The virus contains a list of hardcoded of filename(s) that are excluded from infection:

• wooolcfg.exe
• woool.exe
• ztconfig.exe
• patchupdate.exe
• trojankiller.exe
• xy2player.exe
• flyff.exe
• xy2.exe
• .exe
• au_unins_web.exe
• cabal.exe
• cabalmain9x.exe
• cabalmain.exe
• meteor.exe
• patcher.exe
• mjonline.exe
• config.exe
• zuonline.exe
• userpic.exe
• main.exe
• dk2.exe
• autoupdate.exe
• dbfsupdate.exe
• asktao.exe
• sealspeed.exe
• xlqy2.exe
• game.exe
• wb-service.exe
• nbt-dragonraja2006.exe
• dragonraja.exe
• mhclient-connect.exe
• hs.exe
• mts.exe
• gc.exe
• zfs.exe
• neuz.exe
• maplestory.exe
• nsstarter.exe
• nmcosrv.exe
• ca.exe
• nmservice.exe
• kartrider.exe
• audition.exe
• zhengtu.exe

Symptoms

Symptoms -

• Presence of the files and registry keys mentioned.
• Increase in file size in existing executable files.
• Unexpected network connections to the mentioned site(s).
• Unexpected access to network shared folders.

Method of Infection

Method of Infection -

W32/Almanahe.a is a parasitic worm that propagates by infecting Win32 executable files (*.exe) on local drives and network shares.