Win32/Ramnit [Threat Name] go to Threat
Win32/Ramnit.BX [Threat Variant Name]
| Category | virus |
| Detection created | Oct 05, 2015 |
| Detection database version | 12358 |
| Aliases | Trojan:Win32/Ramnit.gen!A (Microsoft) |
| Win32.Rmnet.16 (Dr.Web) | |
| Win32:RamnitPlugin-A (Avast) |
Short description
The virus is a malicious Win32/Ramnit extension/plugin. The virus is usually a part of other malware. The file is run-time compressed using UPX .
Installation
The virus does not create any copies of itself.
Executable file infection
Win32/Ramnit.BX can infect executable files.
The virus searches local drives for executable files to infect.
The virus also searches for executables in shared folders of remote machines.
The virus searches for executables with one of the following extensions:
- .exe
- .dll
If a folder name matches one of the following strings, files inside it are not infected:
- c:\windows
Several other criteria are applied when choosing a file to infect.
Files are infected by adding a new section that contains the virus .
The host file is modified in a way that causes the virus to be executed prior to running the original code.
The virus infects the files with program code that is downloaded from the Internet.
Information stealing
The virus collects the following information:
- cookies
- FTP account information
- user name
- operating system version
- language settings
The following programs are affected:
- Internet Explorer
- Mozilla Firefox
- Opera
- Flash Player
- Safari
- Google Chrome
- Far Manager
- Total Commander
- Windows Commander
- WS_FTP
- CuteFTP
- FlashFXP
- FileZilla
- FTP Commander
- BulletProof FTP
- SmartFTP
- TurboFTP
- FFFTP
- Core FTP
- FTP Explorer
- Frigate3
- Web Site Publisher
- Classic FTP
- Fling FTP Software
- SoftX FTP
- Directory Opus
- LeapFtp
- WinSCP
- 32bit FTP
- Ftp Control
- NetDrive
The virus can send the information to a remote machine.
Other information
The virus acquires data and commands from a remote computer or the Internet.
The virus opens TCP port 23 .
It can execute the following operations:
- infect files on local computer
- send requested files
- upload file list
- download files from a remote computer and/or the Internet
- run executable files
The virus can be used to gain full access to the compromised computer.
The virus hooks the following Windows APIs:
- NtCreateUserProcess (ntdll.dll)
- NtCreateThread (ntdll.dll)
- OpenInputDesktop (user32.dll)
- SwitchDesktop (user32.dll)
- DefWindowProcW (user32.dll)
- DefWindowProcA (user32.dll)
- DefDlgProcW (user32.dll)
- DefDlgProcA (user32.dll)
- DefFrameProcW (user32.dll)
- DefFrameProcA (user32.dll)
- DefMDIChildProcW (user32.dll)
- DefMDIChildProcA (user32.dll)
- CallWindowProcW (user32.dll)
- CallWindowProcA (user32.dll)
- RegisterClassW (user32.dll)
- RegisterClassA (user32.dll)
- RegisterClassExW (user32.dll)
- RegisterClassExA (user32.dll)
- BeginPaint (user32.dll)
- EndPaint (user32.dll)
- GetDCEx (user32.dll)
- GetDC (user32.dll)
- GetWindowDC (user32.dll)
- ReleaseDC (user32.dll)
- GetUpdateRect (user32.dll)
- GetUpdateRgn (user32.dll)
- GetMessagePos (user32.dll)
- GetCursorPos (user32.dll)
- SetCursorPos (user32.dll)
- SetCapture (user32.dll)
- ReleaseCapture (user32.dll)
- GetCapture (user32.dll)
- GetMessageW (user32.dll)
- GetMessageA (user32.dll)
- PeekMessageW (user32.dll)
- PeekMessageA (user32.dll)
The virus may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Adobe ARM\1.0\ARM]
- "iCheckReader" = 3
- [HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy]
- "EnableJavaUpdate" = 1
- "EnableAutoUpdateCheck" = 1
- "NotifyDownload" = 0
- "NotifyInstall" = 1
The virus keeps various information in the following files:
- %localappdata%\%variable1%.log
- %localappdata%\%variable2%.log
- %userprofile%\%variable2%.log
- %homedrive%%hompath%\%variable1%.log
A string with variable content is used instead of %variable1-2% .