Win32/Ramnit [Threat Name] go to Threat

Win32/Ramnit.L [Threat Variant Name]

Category virus
Size 112630 B
Aliases Trojan-PSW.Win32.Agent.yhq (Kaspersky)
  Trojan:Win32/Ramnit.D (Microsoft)
  W32.Ramnit.B (Symantec)
Short description

Win32/Ramnit.L is a file infector. It uses techniques common for rootkits.


When executed, the virus copies itself into the following location:

  • %temp%\­%variable1%.exe

The virus creates the following files:

  • %temp%\­%variable2%.sys
  • %temp%\­%variable3%.log

Installs the following system drivers (path, name):

  • %temp%\­%variable2%.sys, "Microsoft Windows Service"

A string with variable content is used instead of %variable1-3% .

The virus may create and run a new thread with its own program code within any running process.

Other information

The virus acquires data and commands from a remote computer or the Internet. The virus contains a list of addresses.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • delete cookies
  • delete Registry entries
  • capture screenshots

The virus opens TCP port 4678 .

Win32/Ramnit.L can infect executable files.

The virus infects the files with program code that is downloaded from the Internet.

The virus hooks the following Windows APIs:

  • ZwWriteVirtualMemory (ntdll.dll)
  • ZwOpenKey (ntoskrnl.exe)
  • ZwOpenKeyEx (ntoskrnl.exe)
  • ZwOpenKeyTransacted (ntoskrnl.exe)
  • ZwOpenKeyTransactedEx (ntoskrnl.exe)
  • ZwCreateKey (ntoskrnl.exe)

Please enable Javascript to ensure correct displaying of this content and refresh this page.