Ramnit.A Virus

A Key sentences to judge if your computer has been infected Ramnit.A Virus

A. Your computer is something not normal as usual such as running very slowly.

B. When you open the Task Manager, you can find some strange progress which you never found before.

C. Some of your computer functions are unavailable or some normal legal program can’t run or there are unusual conditions of them.

D. It always constantly happens that your system has errors somewhere.

E. Lately, your computer system will be totally destroyed.

Alias: Type_Win32, Win32/Zbot.A, W32/Infector.Gen2, Win32/Ramnit.A, Win32.Rmnet,

W32.Infector, W32/Patched-I, PE_RAMNIT.A,W32.Ramnit!html, HTML/Ramnit.A,VBS:ExeDropper-gen, Trojon-Dropper.vbs.Agent.bp

Method of Spreading:

Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD or USB drive.  Viruses may also spread by infecting files on a netword file system or a file system that is shared by another computer. 

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Windows Vista

Characteristics

“W32/Ramnit.a!htm” is a detection for the HTML which is infected by a virus. The source virus is detected as W32/Ramnit.a. 

“W32/Ramnit.a” is a virus that infects exe, dll, html and scr files by injecting it own viral code. It may also spread via removable drives and mapped drives. 

“W32/Ramnit.a!htm” is a infected .HTM and .HTML which will causes a execution of another instance of W32/Ramnit.a virus.

The infected HTML files have an appended VBScript at the end of the html page. When the user opens the infected HTML file, the VBScript drops a copy of W32/Ramnit.a

Below is theVB script added into source of all the html files in the compromised machine.

Once loaded and running, W32/Ramnit.a will create a backdoor and connects to a remote server to allow a remote attacker to gain control on the compromised computer. It waits for other tasks that the remote attacker may perform on the PC.

The virus can inject malicious code into default Internet browser and uses this method to bypass Windows firewall and other security programs.

Some infected machines may display an error if the Trojan’s embedded code is having conflict to other programs. Here is the sample error message.

The above is the malicious VB script write by the virus, which drops a file svchost.exe and writes the binary data into it and executes the virus. 

The virus script writes the binary data into “ svchost.exe” in the below location

• %Temp%\svchost.exe
• %Programfiles%\Microsoft\DesktopLayer.exe

The following folders have been added by the virus.

• %Programfiles%\Microsoft

The following registry key values have been modified by the virus.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "%windir%\system32\userinit.exe,"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "%windir%\system32\userinit.exe,,%programfiles%\microsoft\desktoplayer.exe"

The above mentioned registry value ensures that the virus registers into the winlogon entry with the compromised system and executes itself upon every boot.

The Virus also connects to the following URL’s and IP address

• Za[Removed]g.name
• members.l[Removed]de.com
• 106.187.[Removed].154

Once the infected HTML file opened, it drops a file into the following location and executes it:

• %Temp%\svchost.exe

Once the svchost.exe executed it tries to connect to the following URLs through a remote port 443:

• 91.220.[Removed].30
• rterybrst[Removed]erve.com

And it drops the following files:

• %Windir%\system32\dllcache\vgx.dll
• %Windir%\system32\dmlconf.dat
• %userprofile%\Desktop\svchostmgr.exe
• %Programfiles%\Common Files\Microsoft Shared\VGX\vgx.dll
• %Programfiles%\Common Files\System\msadc\OLD128.tmp
• %Programfiles%\Windows Media Player\OLD12B.tmp
• %Programfiles%\Microsoft\WaterMark.exe

The following registry key has been added.

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]
  “Userinit” = "%Windir%\system32\userinit.exe,, %Programfiles% \microsoft\watermark.exe"

The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon every boot.

The infected HTML files have an appended VBScript. When the user opens the infected HTML file, the VBScript drops a copy of W32/Ramnit file into the below mentioned location.

• %Temp%\svchost.exe

The dropped file "svchost.exe" is then executed.

I observed Amsint32 Virus mostly helps to spread this virus in the system

No one Anitivirus will remove this Virus! completely.

I will give guidelines to remove this virus easily without any antivirus.