Google
 

Monday, June 4, 2007

W32/Almanahe.c

Overview -

W32/Almanahe.a is a parasitic worm that infects Win32 executable files (*.exe) that can also download and execute additional malware.

Aliases

  • pe_corelink.a (TrendMicro)
  • w32.almanahe.b!inf (Symantec)
  • w32/alman-a (Sophos)

Characteristics

It also attempts to access network shares using the following passwords as "Administrator" user:
  • zxcv
  • qazwsx
  • qaz
  • qwer
  • !@#$%^&*()
  • !@#$%^&*(
  • !@#$%^&*
  • !@#$%^&
  • !@#$%^
  • !@#$%
  • asdfgh
  • asdf
  • !@#$
  • 654321
  • 123456
  • 12345
  • 1234
  • 123
  • 1111
  • admin

The virus contains a list of hardcoded of filename(s) that are excluded from infection:

  • wooolcfg.exe
  • woool.exe
  • ztconfig.exe
  • patchupdate.exe
  • trojankiller.exe
  • xy2player.exe
  • flyff.exe
  • xy2.exe
  • .exe
  • au_unins_web.exe
  • cabal.exe
  • cabalmain9x.exe
  • cabalmain.exe
  • meteor.exe
  • patcher.exe
  • mjonline.exe
  • config.exe
  • zuonline.exe
  • userpic.exe
  • main.exe
  • dk2.exe
  • autoupdate.exe
  • dbfsupdate.exe
  • asktao.exe
  • sealspeed.exe
  • xlqy2.exe
  • game.exe
  • wb-service.exe
  • nbt-dragonraja2006.exe
  • dragonraja.exe
  • mhclient-connect.exe
  • hs.exe
  • mts.exe
  • gc.exe
  • zfs.exe
  • neuz.exe
  • maplestory.exe
  • nsstarter.exe
  • nmcosrv.exe
  • ca.exe
  • nmservice.exe
  • kartrider.exe
  • audition.exe
  • zhengtu.exe

Symptoms

Symptoms -

  • Presence of the files and registry keys mentioned.
  • Increase in file size in existing executable files.
  • Unexpected network connections to the mentioned site(s).
  • Unexpected access to network shared folders.

Method of Infection

Method of Infection -

W32/Almanahe.a is a parasitic worm that propagates by infecting Win32 executable files (*.exe) on local drives and network shares.

Your Ad Here