Aliases: pe_corelink.a, w32.almanahe.b!inf, w32/alman-a
Variants: Win32/Almanahe.A, W32/Alman-A, Win32/Almanahe, W32/Almanahe.a, Virus.Win32.Alman.a

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: North and South America, Europe
Removal: Hard
Platform: W32
Discovered: 13 Apr 2007
Damage: Medium

Characteristics: An infection caused by this malware results in the presence of various unwanted files and unnecessary Windows Registry keys.

More details about W32.Almanahe.A

The W32.Almanahe.A application allegedly causes a bloating of file sizes for executable files which are primarily targeted by this malware. It also accesses network connections and network shares. The execution of the W32.Almanahe.A infection creates the linkinfo.dll file in the Windows directory. The RioDrv.sys and DKIS6.sys files are likewise generated under the Drivers subfolder in the Windows directory. The DLL file is used by the W32.Almanahe.A malware to intercept Application Programming Interface calls made to other programs. This may result in the failure of other applications to launch. The SYS files on the other hand are loaded into the kernel memory of the computer system by the malware. When these files have been successfully loaded into memory they are deleted or hidden by the malware. The W32.Almanahe.A program may also use the contents of the system memory to restore infected hosts and execute them. Programs may randomly and inexplicable crash when this routine is run.

This malware infects all types of EXE files regardless whether they are stored in fixed, removable, or remote drives. This means that the W32.Almanahe.A malware can travel across networks. By design, the malware does not modify executable files stored in the QQ, Windows, Winnt, and Local Settings\ Temp directory folder locations. Administrator accounts with weak password protection are most vulnerable to this malware. It may use this Administrator account to install the Ins.exe file and execute it in the local system as a service. The W32.Almanahe.A program is likewise capable of downloading additional files from the Internet as well as illegally terminating running processes and programs. Its rootkit capability allows it to prevent applications from detecting changes it has made to the Windows Registry keys.