Win32/Ramgex [Threat Name] go to Threat

Win32/Ramgex.A [Threat Variant Name]

Category worm
Size 3686617 B
Aliases Worm.Win32.Agent.ama (Kaspersky)
  Worm:Win32/Ramgex.A (Microsoft)
  Worm/Ramgex.A (Avira)
Short description

Win32/Ramgex.A is a worm that spreads via removable media. Win32/Ramgex.A installs a backdoor that can be controlled remotely. The worm is often included in the installation packages of games downloaded from untrustworthy sources. The file is run-time compressed using Inno Setup .


When executed, the worm copies itself into the following location:

  • %windir%\­temp\­_sprdfl.tmp

The worm creates the following files:

  • %temp%\­%variable1%.tmp\­%originalmalwarefilename%.tmp (1068032 B)
  • %temp%\­%variable2%.tmp\­Eml.dat (1643008 B, Win32/Ramgex.A)
  • %temp%\­%variable2%.tmp\­Spread.exe (2782720 B, Win32/Ramgex.A)
  • %temp%\­%variable2%.tmp\­_isetup\­_RegDLL.tmp (4096 B)
  • %temp%\­%variable2%.tmp\­_isetup\­_shfoldr.dll (23312 B)
  • %windir%\­temp\­rstv.txt
  • %temp%\­%variable2%.tmp\­libeay32.dll (1197568 B)
  • %temp%\­%variable2%.tmp\­ssleay32.dll (302592 B)
  • %temp%\­%variable2%.tmp\­rar.exe (378368 B)
  • %windir%\­Temp\­svchost.exe (1643008 B, Win32/Ramgex.A)
  • %windir%\­Temp\­libeay32.dll (1197568 B)
  • %windir%\­Temp\­rar.exe (378368 B)

A string with variable content is used instead of %variable1-2% .

The worm executes the following files:

  • %temp%\­%variable1%.tmp\­%originalmalwarefilename%.tmp /SL5="$80158,3381997,421888,%originalmalwarefilename%"
  • %temp%\­%variable2%.tmp\­Spread.exe
  • %windir%\­Temp\­svchost.exe /install /silent

The worm registers itself as a system service using the following name:

  • SpecSrvs

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SpecSrvs]
    • "Description" = "Microsoft Windows Management Service Host"
    • "DisplayName" = "Service Host"
    • "ErrorControl" = 1
    • "ImagePath" = "%windir%\­Temp\­svchost.exe"
    • "ObjectName" = "LocalSystem"
    • "Start" = 2
    • "Type" = 16

This causes the worm to be executed on every system start.

Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • %originalmalwarefilename%
Other information

The worm contains a backdoor. It can be controlled remotely.

The worm acquires data and commands from a remote computer or the Internet.

The worm contains a list of (2) URLs. The POP3, SMTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send files to a remote computer
  • delete files
  • delete folders
  • send the list of files on specific drive to a remote computer

The worm may create the following files:

  • %windir%\­temp\­DirecC_%computername%-S.dll
  • %windir%\­temp\­_jp1234.tmp
  • %windir%\­temp\­_vidlist.tmp
  • %windir%\­temp\­_df1234.tmp
  • %windir%\­temp\­_lg.dll
  • %windir%\­temp\­svchoste.dll
  • %windir%\­temp\­_ylnk.dll

Please enable Javascript to ensure correct displaying of this content and refresh this page.