Trojan:Win32/Alvabrig.A is a trojan that modifies certain Windows files. It may also drop other malware, steal sensitive data and download arbitrary files from certain Web sites. In some instances it also disables System Restore.
Payload
Modifies Windows files
Trojan:Win32/Alvabrig.A modifies the following Windows files:
It modifies these files by changing certain functions within the files. More details are available in the descriptions for each of the modified files. These modified files may also be detected as
Virus:Win32/Alvabrig.gen!D.
To complete its infection of these files, it restarts the computer.
Steals sensitive information
Trojan:Win32/Alvabrig.A attempts to steal usernames and passwords for Internet banking web sites.
Modifies computer settings
In some instances, Trojan:Win32/Alvabrig.A disables System Restore by creating the following registry entry:
Adds value: "DisableSR"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Drops other malware
Trojan:Win32/Alvabrig.A drops the file "
conlf1.ini" in the Windows Temporary Files folder. This file is detected as
Trojan:Win32/Duppatch.A.
Downloads arbitrary files
Trojan:Win32/Alvabrig.A may download arbitrary files, such as other malware or updates of itself, from any of the following domains:
acusstug.com
aforirish.com
asmmnation.com
awblanta.com
bzknnation.com
eqihirish.com
eqjenewnacion.com
fbjination.com
ffcsanta.com
ffplnation.com
ggqxirish.com
gifqnation.com
hhsfnation.com
hrjznation.com
jbdmnation.com
jfqsnation.com
jtlqanta.com
kgqzirish.com
kqbzanta.com
lxwfnewdnkas.com
meiwrsa.com
ocjjnation.com
oscrirish.com
prmfnation.com
qcsbirish.com
qgrsnation.com
qmkaanta.com
qumlirish.com
rbpjnation.com
rzghnation.com
santnewnacion.com
silgrsa.com
sqvnanta.com
trabanta.com
ucagrsa.com
uqcwnation.com
uutunation.com
vvipanta.com
wuehirish.com
yuspirish.com
ztaenation.com
kwwlirish.com
Analysis by Cristian Craioveanu
