病毒特徵:
W32/Almanahe.c是一個感染Win32執行檔(*.exe)的多態寄生病毒,它可以下載並執行其它病毒。
病毒運行後,會創建以下檔案: %Windir%\linkinfo.dll (W32/Almanahe.dll)
%Windir%\System32\drivers\nvmini.sys (W32/Almanahe.sys)
%Windir%\System32\drivers\IsDrv118.sys (W32/Almanahe.sys)
C:\boot.exe (W32/Almanahe)
(%Windir%是Windows系統目錄;常見的如 C:\Windows.一個 linkinfo.dl檔案的合法副本的位置通常在
%Windir%\system32\linkinfo.dll中)
這些檔案通過使用rootkit組件(W32/Almanahe.sys)隱藏起來。以下.DLL檔案被注入到運行中的Windows Explorer(Explorer.exe)中,並且.SYS檔案被作為一個服務安裝到系統中,還會創建以下註冊表鍵: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RioDrvs\"ImagePath" = "system32\drivers\nvmini.sys"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RioDrvs\"DisplayName" = "nvmini"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\RioDrvs\"ImagePath" = "system32\drivers\nvmini.sys"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\RioDrvs\"DisplayName" = "nvmini"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RIODRVS\0000\Control\"ActiveService" = "nvmini"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RIODRVS\0000\"Service" = "nvmini"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Enum\Root\LEGACY_RIODRVS\0000\Control\"ActiveService" = "nvmini"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Enum\Root\LEGACY_RIODRVS\0000\"Service" = "nvmini"
病毒會連線以下站點來通知病毒作者,接受並下載其它病毒:
kr.sb941.com
k.sb941.com
info.sb941.com
down.91tg.net
感染跡象:
出現上述檔案和註冊表鍵。
執行檔的尺寸增加了。
出現與上述站點的意外網路連線。
非預期的訪問網路已分享資料夾。
感染方式
W32/Almanahe.c是一種通過被感染的Win32執行檔(*.exe)傳染的多態寄生病毒,一般通過可移動設備或網路共享傳染。
W32/Almanahe.c is a polymorphic parasitic worm that infects Win32 executable files (*.exe) that can also download and execute additional malware.
Characteristics
Characteristics -
W32/Almanahe.c is a polymorphic parasitic worm that infects Win32 executable files (*.exe) that can also download and execute additional malware.
Upon execution, it drops the following file(s):
%Windir%\linkinfo.dll (W32/Almanahe.dll) %Windir%\System32\drivers\nvmini.sys (W32/Almanahe.sys) %Windir%\System32\drivers\IsDrv118.sys (W32/Almanahe.sys) C:\boot.exe (W32/Almanahe)(Where %Windir% is the Windows folder; e.g. C:\Windows. A legitimate copy of linkinfo.dll usually resides in %Windir%\system32\linkinfo.dll)
These files are hidden by the rootkit component (W32/Almanahe.sys). It follows that the .DLL file is injected into the running process of Windows Explorer (Explorer.exe) and the .SYS file is installed as a service and creating the following registry key(s):
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RioDrvs\"ImagePath" = "system32\drivers\nvmini.sys" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RioDrvs\"DisplayName" = "nvmini" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\RioDrvs\"ImagePath" = "system32\drivers\nvmini.sys" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\RioDrvs\"DisplayName" = "nvmini" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RIODRVS\0000\Control\"ActiveService" = "nvmini" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RIODRVS\0000\"Service" = "nvmini" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Enum\Root\LEGACY_RIODRVS\0000\Control\"ActiveService" = "nvmini" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Enum\Root\LEGACY_RIODRVS\0000\"Service" = "nvmini"It can contact the following site(s) to Notify malware owner, receive instructions and download further malware:
kr.sb941.com k.sb941.com info.sb941.com down.91tg.net
Method of Infection -
W32/Almanahe.c is a polymorphic parasitic worm that propagates by infecting Win32 executable files (*.exe) on local, removable drives and network shares.
