Scribd
Upload
427 views

Win32.Alman.B Submission Summary

The document summarizes the analysis of the Win32.Alman.B malware. It identifies files, processes, and registry keys created by the malware. The malware replicates across networks, downloads other files from the internet, and contains rootkit technology to evade detection. It establishes an internet connection and requests a host name from a database.

Uploaded by

concotrang2009
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
427 views

Win32.Alman.B Submission Summary

The document summarizes the analysis of the Win32.Alman.B malware. It identifies files, processes, and registry keys created by the malware. The malware replicates across networks, downloads other files from the internet, and contains rootkit technology to evade detection. It establishes an internet connection and requests a host name from a database.

Uploaded by

concotrang2009
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 6

Win32.Alman.

B Submission Summary:

Submission details: o Submission received: 9 April 2009, 19:38:14 o Processing time: 5 min 42 sec o Submitted sample: File MD5: 0x144D9F896C977B5E78234E07A29C2C76 File SHA-1: 0xC4FF9731D517566874CDA045EFC4A421D476F820 Filesize: 221,696 bytes Alias: Win32.Alman.B [PCTools] W32.Almanahe.B!inf [Symantec] Virus.Win32.Alman.b [Kaspersky Lab] W32/Almanahe.c [McAfee] PE_CORELINK.C-1 [Trend Micro] W32/Alman-C [Sophos] Virus:Win32/Almanahe.B [Microsoft] Virus.Win32.Agent.SWR [Ikarus] Win32/Alman.C [AhnLab] Summary of the findings: Severity Level

What's been found Replication across networks by exploiting weakly restricted shares (common for Randex family of worms). Downloads/requests other files from Internet. Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system: Description Trojan.Almanahe may be installed on a system when users unknowingly visit malicious websites. It uses rootkit technology to

Security Risk Trojan.Almanahe

evade scanners and contacts a remote server where it downloads and installs an updated copy of itself. Attention! The following threat categories were identified: Description A network-aware worm that attempts to replicate across the existing network(s) A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body

Threat Category

A hacktool that could be used by attackers to break into a system

File System Modifications

The following files were created in the system: File File Hash Size Alias

# Filename(s)

%Windir %\linkinfo.dll

Trojan.Almanahe [PCTools] W32.Almanahe.B!inf [Symantec] Virus.Win32.Agent.b u [Kaspersky Lab] W32/Almanahe.dll [McAfee] MD5: PE_CORELINK.C-O 53,2 0x08B1547672A359972E7038834 [Trend Micro] 48 AB18C9F W32/Alman-E byte SHA-1: [Sophos] s 0xBAAD24272B5B13DC105112A Trojan:Win32/Alman EC20451508B86183F ahe.B.dll [Microsoft] TrojanDropper.Agent [Ikarus] WinTrojan/Agent.53248. GU [AhnLab] 15,8 MD5: Trojan.Almanahe

2 %System

%\drivers\cdralw.s ys

[PCTools] Hacktool.Rootkit [Symantec] Virus.Win32.Alman. b [Kaspersky Lab] W32/Almanahe.sys.g 0xAA20CCA9BF2BF1EB5AE2F6 en [McAfee] 72 7E5454F77E Troj/Rootkit-BZ byte SHA-1: [Sophos] s 0x555F608173908987D6F48390E VirTool:WinNT/Alm 4619C0261EE1849 anahe.gen!A [Microsoft] Virus.Win32.Alman [Ikarus] WinTrojan/Rootkit.15872 .C [AhnLab] Win32.Alman.B [PCTools] W32.Almanahe.B!inf [Symantec] Virus.Win32.Alman. b [Kaspersky Lab] MD5: W32/Almanahe.c 221, 0x144D9F896C977B5E78234E07 [McAfee] 696 A29C2C76 PE_CORELINK.C-1 byte SHA-1: [Trend Micro] s 0xC4FF9731D517566874CDA045 W32/Alman-C EFC4A421D476F820 [Sophos] Virus:Win32/Almana he.B [Microsoft] Virus.Win32.Agent.S WR [Ikarus] Win32/Alman.C [AhnLab]

[file and pathname of the sample #1]

Notes:
o o

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt. %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following file was deleted: o %System%\linkinfo.dll

Memory Modifications

There was a new process created in the system:

Process Name

Process Filename

Main Module Size

[filename of the sample #1] [file and pathname of the sample #1] 331,776 bytes The following modules were loaded into the address space of other process(es): Module Name linkinfo.dll Module Filename Address Space Details Process name: [filename of the sample #1] Process filename: [file and pathname of the sample #1] Address space: 0x890000 - 0x89D000 Process name: [filename of the sample #1] Process filename: [file and pathname of the sample #1] Address space: 0x76980000 - 0x76988000

%Windir%\linkinfo.dll

linkinfo.dll

%System%\linkinfo.dll

Registry Modifications

The following Registry Keys were created: o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGA CY_CDRALW o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGA CY_CDRALW\0000 o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGA CY_CDRALW\0000\Control o HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\L EGACY_CDRALW o HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\L EGACY_CDRALW\0000 o HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\L EGACY_CDRALW\0000\Control o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cdralw o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cdralw\S ecurity The newly created Registry Values are: o [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEG ACY_CDRALW\0000\Control] *NewlyCreated* = 0x00000000 ActiveService = "cdralw" o [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEG ACY_CDRALW\0000] Service = "cdralw" Legacy = 0x00000001 ConfigFlags = 0x00000000 Class = "LegacyDriver" ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"

DeviceDesc = "cdralw" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEG ACY_CDRALW] NextInstance = 0x00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\L EGACY_CDRALW\0000\Control] *NewlyCreated* = 0x00000000 ActiveService = "cdralw" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\L EGACY_CDRALW\0000] Service = "cdralw" Legacy = 0x00000001 ConfigFlags = 0x00000000 Class = "LegacyDriver" ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}" DeviceDesc = "cdralw" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\L EGACY_CDRALW] NextInstance = 0x00000001 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cdralw\S ecurity] Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cdralw] Type = 0x00000001 Start = 0x00000002 ErrorControl = 0x00000000 ImagePath = "%System%\Drivers\nvmini.sys" DisplayName = "NVIDIA Compatible Windows Miniport Driver" Tag = 0x00000007 Group = "Pointer Port"

Other details The following Host Name was requested from a host database: o ys

The following Internet Connection was established:

Server Name Server Port Connect as User Connection Password .host

80 .host .host Heuristically identified capability of spreading across the following weakly restricted network shares:

The network replication uses a dictionary attack by probing credentials from the following list:

You might also like