Win32/Ramnit [Threat Name] go to Threat

Win32/Ramnit.A [Threat Variant Name]

Category virus
Detection created Jul 27, 2010
Signature database version 8525
Aliases Backdoor.Win32.IRCNite.bwy (Kaspersky)
  W32/Ramnit (McAfee)
  W32.Ramnit (Symantec)
Short description

Win32/Ramnit.A is a file infector.

Installation

When executed, the virus copies itself in some of the the following locations:

  • %programfiles%\­Microsoft\­WaterMark.exe
  • %commonprogramfiles%\­Microsoft\­WaterMark.exe
  • %appdata%\­Microsoft\­WaterMark.exe
  • %system%\­Microsoft\­WaterMark.exe
  • %windir%\­Microsoft\­WaterMark.exe
  • %temp%\­Microsoft\­WaterMark.exe
  • %homedrive%%homepath%\­Microsoft\­WaterMark.exe

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%originalvalue%, %malwarefolder%\­Microsoft\­WaterMark.exe"

This causes the virus to be executed on every system start.


The virus creates and runs a new thread with its own program code within the following processes:

  • svchost.exe
Executable file infection

The virus searches local drives for files with the following file extensions:

  • .exe
  • .dll

It avoids files which contain any of the following strings in their path:

  • RMNetwork

Files are infected by adding a new section that contains the virus .


The host file is modified in a way that causes the virus to be executed prior to running the original code.


The size of the inserted code is 53 KB .

File infection

The virus searches local drives for files with the following file extensions:

  • .htm
  • .html

It avoids files which contain any of the following strings in their path:

  • RMNetwork

The virus writes the program code of the malware into the file.

Spreading

The virus spreads by exploiting a vulnerability in the operating system of the targeted machine.


This vulnerability is described in CVE-2010-2568 .


The Windows Shell allows local users or remote attackers to execute arbitrary code via a crafted *.lnk, *.pif shortcut file when its icon is displayed.


No further user interaction is required to execute arbitrary code.


The virus creates the following files:

  • %removabledrive%\­RECYCLER\­S-7-1-36-6133081425-6700277004-675130086-4217\­%variable1%.exe
  • %removabledrive%\­RECYCLER\­S-7-1-36-6133081425-6700277004-675130086-4217\­%variable2%.cpl
  • %removabledrive%\­autorun.inf
  • %removabledrive%\­Copy of Shortcut to (1).lnk
  • %removabledrive%\­Copy of Shortcut to (2).lnk
  • %removabledrive%\­Copy of Shortcut to (3).lnk
  • %removabledrive%\­Copy of Shortcut to (4).lnk

A string with variable content is used instead of %variable1-2% .

Other information

The virus acquires data and commands from a remote computer or the Internet.


The virus contains a list of addresses.


It can execute the following operations:

  • capture screenshots
  • send gathered information
  • download files from a remote computer and/or the Internet
  • run executable files
  • shut down/restart the computer

The virus may create the following files:

  • %system%\­dmlconf.dat

The virus connects to the following addresses:

  • google.com
  • bing.com
  • yahoo.com

The virus may create and run a new thread with its own program code within any running process.

Please enable Javascript to ensure correct displaying of this content and refresh this page.