Win32/Ramnit [Threat Name] go to Threat
Win32/Ramnit.A [Threat Variant Name]
| Category | virus |
| Aliases | Backdoor.Win32.IRCNite.bwy (Kaspersky) |
| W32/Ramnit (McAfee) | |
| W32.Ramnit (Symantec) |
Short description
Win32/Ramnit.A is a file infector.
Installation
When executed, the virus copies itself in some of the the following locations:
- %programfiles%\Microsoft\WaterMark.exe
- %commonprogramfiles%\Microsoft\WaterMark.exe
- %appdata%\Microsoft\WaterMark.exe
- %system%\Microsoft\WaterMark.exe
- %windir%\Microsoft\WaterMark.exe
- %temp%\Microsoft\WaterMark.exe
- %homedrive%%homepath%\Microsoft\WaterMark.exe
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "Userinit" = "%originalvalue%, %malwarefolder%\Microsoft\WaterMark.exe"
This causes the virus to be executed on every system start.
The virus creates and runs a new thread with its own program code within the following processes:
- svchost.exe
Executable file infection
The virus searches local drives for files with the following file extensions:
- .exe
- .dll
It avoids files which contain any of the following strings in their path:
- RMNetwork
Files are infected by adding a new section that contains the virus .
The host file is modified in a way that causes the virus to be executed prior to running the original code.
The size of the inserted code is 53 KB .
File infection
The virus searches local drives for files with the following file extensions:
- .htm
- .html
It avoids files which contain any of the following strings in their path:
- RMNetwork
The virus writes the program code of the malware into the file.
Spreading
The virus spreads by exploiting a vulnerability in the operating system of the targeted machine.
This vulnerability is described in CVE-2010-2568 .
The Windows Shell allows local users or remote attackers to execute arbitrary code via a crafted *.lnk, *.pif shortcut file when its icon is displayed.
No further user interaction is required to execute arbitrary code.
The virus creates the following files:
- %removabledrive%\RECYCLER\S-7-1-36-6133081425-6700277004-675130086-4217\%variable1%.exe
- %removabledrive%\RECYCLER\S-7-1-36-6133081425-6700277004-675130086-4217\%variable2%.cpl
- %removabledrive%\autorun.inf
- %removabledrive%\Copy of Shortcut to (1).lnk
- %removabledrive%\Copy of Shortcut to (2).lnk
- %removabledrive%\Copy of Shortcut to (3).lnk
- %removabledrive%\Copy of Shortcut to (4).lnk
A string with variable content is used instead of %variable1-2% .
Other information
The virus acquires data and commands from a remote computer or the Internet.
The virus contains a list of addresses.
It can execute the following operations:
- capture screenshots
- send gathered information
- download files from a remote computer and/or the Internet
- run executable files
- shut down/restart the computer
The virus may create the following files:
- %system%\dmlconf.dat
The virus connects to the following addresses:
- google.com
- bing.com
- yahoo.com
The virus may create and run a new thread with its own program code within any running process.