Wow, thanks for the great info and the fast reply.
It looks like those files really are infected. More disturbing is the actual CD also has those viruses on it and it is a PE repair CD used by a large national computer repair/service company which I used to work for. I have about a dozen different versions of that disk and ALL of them have it. I think I will check the newest one out see if it is present…
On a different note, could that virus (as it is listed as a dropper) infect the PC’s of the people getting serviced?
The results of the lookup are posted below:
Antivirus Version Last Update Result
AhnLab-V3 2008.8.15.0 2008.08.15 Win32/Alman.C
AntiVir 7.8.1.19 2008.08.16 W32/Alman.BB
Authentium 5.1.0.4 2008.08.17 W32/Alman.C
Avast 4.8.1195.0 2008.08.17 Win32:Agent-SWR
AVG 8.0.0.161 2008.08.17 Win32/Alman
BitDefender 7.2 2008.08.17 -
CAT-QuickHeal 9.50 2008.08.16 W32.Almanahe.B
ClamAV 0.93.1 2008.08.16 W32.Alman-2
DrWeb 4.44.0.09170 2008.08.17 Win32.Alman
eSafe 7.0.17.0 2008.08.17 -
eTrust-Vet 31.6.6035 2008.08.15 Win32/Almanahe.F!x386
Ewido 4.0 2008.08.17 -
F-Prot 4.4.4.56 2008.08.17 W32/Alman.C
F-Secure 7.60.13501.0 2008.08.17 Virus.Win32.Alman.b
Fortinet 3.14.0.0 2008.08.17 W32/Alman.B
GData 2.0.7306.1023 2008.08.17 Virus.Win32.Alman.b
Ikarus T3.1.1.34.0 2008.08.17 Virus.Win32.Alman.b
K7AntiVirus 7.10.417 2008.08.15 -
Kaspersky 7.0.0.125 2008.08.17 Virus.Win32.Alman.b
McAfee 5362 2008.08.15 W32/Almanahe.c
Microsoft 1.3807 2008.08.17 Virus:Win32/Almanahe.B
NOD32v2 3362 2008.08.17 Win32/Alman.NAB
Norman 5.80.02 2008.08.15 W32/Alman.B
Panda 9.0.0.4 2008.08.17 Trj/Asprox.E
PCTools 4.4.2.0 2008.08.17 Win32.Alman.B
Prevx1 V2 2008.08.17 -
Rising 20.57.62.00 2008.08.17 Worm.Magistr.g
Sophos 4.32.0 2008.08.17 W32/Alman-C
Sunbelt 3.1.1546.1 2008.08.15 -
Symantec 10 2008.08.17 W32.Almanahe.B!inf
TheHacker 6.3.0.3.052 2008.08.17 W32/Almanahe.C
TrendMicro 8.700.0.1004 2008.08.16 PE_CORELINK.C-1
VBA32 3.12.8.3 2008.08.17 Trojan-Downloader.Win32.Agent.erl
ViRobot 2008.8.16.1338 2008.08.16 Win32.Alman.B
VirusBuster 4.5.11.0 2008.08.17 Win32.Alman.B
Webwasher-Gateway 6.6.2 2008.08.17 Win32.Alman.BB
Additional information
File size: 625152 bytes
MD5…: 5c8d8d9350baa0b1c5debc081ed4a172
SHA1…: eb5494238a3fcf089d6751946b0356927a69c37a
SHA256: 7519d077b2be1bdff47a94d62a58f9303203379a6263e691abf5e473bda3b144
SHA512: 9861885619f31063c6cb3f11e67d240aef9b700c8492a7dccc221bec887d5cf6
a418b299f38f5393146de678fc621306fee738770473d7ab7087eb1f1312f6a2
PEiD…: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x10011dc
timedatestamp…: 0x41107bf3 (Wed Aug 04 06:02:27 2004)
machinetype…: 0x14c (I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5b746 0x5b800 6.14 4603d3b832f5f387f02a7ea612c74f9e
.data 0x5d000 0x53c0 0x5200 3.54 d40bcb0070a5c8b51f6708d6e188b5a8
.rsrc 0x63000 0x2cce8 0x2ce00 3.44 b3c866b6cbb21d3c4cc6151f3075b40a
.reloc 0x90000 0xac40 0xae00 7.67 f8ab957f047aff196f6321341c78ad42
( 1 imports )
ntdll.dll: wcslen, _wcsicmp, wcsstr, NtClose, NtQueryValueKey, NtOpenKey, RtlInitUnicodeString, NtQuerySymbolicLinkObject, NtOpenSymbolicLinkObject, RtlPrefixUnicodeString, RtlEqualUnicodeString, NtQueryDirectoryObject, NtOpenDirectoryObject, NtTerminateProcess, RtlUnhandledExceptionFilter, RtlUnwind, NtQueryVirtualMemory, DbgBreakPoint, RtlAllocateHeap, RtlUnicodeStringToAnsiString, RtlNormalizeProcessParams, NtDelayExecution, isprint, swprintf, _allmul, _alldiv, NtReadFile, NtDeviceIoControlFile, _chkstk, NtFsControlFile, NtOpenFile, NtQueryInformationFile, NtWriteFile, memmove, NtQueryVolumeInformationFile, RtlOemToUnicodeN, RtlMultiByteToUnicodeN, RtlUnicodeToOemN, RtlUnicodeToMultiByteN, sprintf, _wcsupr, _wcslwr, wcscmp, wcsspn, atol, RtlFreeUnicodeString, RtlDosPathNameToNtPathName_U, NtShutdownSystem, NtAdjustPrivilegesToken, NtOpenProcessToken, NtQuerySystemTime, NtQuerySystemInformation, NtSetInformationFile, NtCreateFile, RtlValidRelativeSecurityDescriptor, RtlExpandEnvironmentStrings_U, NtSetThreadExecutionState, _aulldiv, RtlFreeHeap, RtlSizeHeap, qsort, NtDisplayString, NtWaitForMultipleObjects, NtCreateEvent, RtlFormatMessage, RtlAnsiStringToUnicodeString, RtlInitAnsiString, RtlFindMessage, wcscpy, wcsncmp, RtlQueryRegistryValues, RtlWriteRegistryValue, RtlSubAuthoritySid, RtlInitializeSid, RtlLengthRequiredSid, RtlAddAce, RtlCopySid, RtlLengthSid, RtlQueryInformationAcl, RtlCreateAcl, RtlAddAccessAllowedAce, RtlLengthSecurityDescriptor, RtlValidSecurityDescriptor, RtlNewSecurityObject, RtlSetDaclSecurityDescriptor, RtlSetGroupSecurityDescriptor, RtlCreateSecurityDescriptor, RtlTimeToTimeFields, RtlSystemTimeToLocalTime, _allrem, RtlDecompressBuffer, RtlUpcaseUnicodeString, RtlRaiseStatus, NtTerminateThread, NtSetEvent, NtWaitForSingleObject, NtQueryInformationThread, RtlCreateUserThread, RtlComputeCrc32, DbgPrint, RtlDeleteElementGenericTable, RtlFindSetBits, RtlClearBits, RtlInitializeBitMap, RtlLookupElementGenericTable, RtlNumberOfSetBits, RtlEnumerateGenericTableWithoutSplaying, RtlSetBits, RtlInsertElementGenericTable, RtlInitializeGenericTable, NtQueryPerformanceCounter