Win32/Ramnit [Threat Name] go to Threat

Win32/Ramnit.BV [Threat Variant Name]

Category trojan,virus
Size 217088 B
Detection created Oct 04, 2015
Detection database version 12355
Aliases Trojan.Win32.Nimnul.vup (Kaspersky)
  Trojan:Win32/Ramnit (Microsoft)
  Win32.HLLM.Reset.478 (Dr.Web)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %temp%\­%variable1%.exe
  • %temp%\­Low\­%variable2%.exe
  • %currentfolder%\­%variable2%.exe

The trojan copies itself to the following location:

  • %localappdata%\­%variable3%\­%variable4%.exe

A string with variable content is used instead of %variable1-4% .


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable4%" = "%localappdata%\­%variable3%\­%variable4%.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%originalvalue%, %localappdata%\­%variable3%\­%variable4%.exe"

The trojan copies itself to the following location:

  • %startup%\­%variable4%.exe

The trojan can create and run a new thread with its own program code within the following processes:

  • spoolsv.exe

The trojan launches the following processes:

  • %programfiles%\­Internet Explorer\­iexplore.exe
  • %defaultbrowser%
  • %system%\­svchost.exe

The trojan creates and runs a new thread with its own code within these running processes.


The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "EnableLUA" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Security Center]
    • "AntiVirusOverride" = 1
    • "AntiVirusDisableNotify" = 1
    • "FirewallDisableNotify" = 1
    • "FirewallOverride" = 1
    • "UpdatesDisableNotify" = 1
    • "UacDisableNotify" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Security Center\­Svc]
    • "AntiVirusOverride" = 1
    • "AntiVirusDisableNotify" = 1
    • "FirewallDisableNotify" = 1
    • "FirewallOverride" = 1
    • "UpdatesDisableNotify" = 1
    • "UacDisableNotify" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­wscsvc]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­MpsSvc]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile]
    • "EnableFirewall" = 0
    • "DoNotAllowExceptions" = 0
    • "DisableNotifications" = 1

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion]
    • "jfghdug_ooetvtgk" = "TRUE"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Microsoft Antimalware\­Exclusions\­Extensions]
    • "*.exe" = 0
    • "*.dll" = 0
    • "*.tmp" = 0
  • [[HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Microsoft Antimalware\­Exclusions\­Processes]
    • "afwqs.exe" = 0
    • "rgjdu.exe" = 0
    • "explorer.exe" = 0
    • "spoolsv.exe" = 0
    • "rundll32.exe" = 0
    • "consent.exe" = 0
    • "svchost.exe" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows Defender\­Exclusions\­Extensions]
    • "*.exe" = 0
    • "*.dll" = 0
    • "*.tmp" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows Defender\­Exclusions\­Processes]
    • "afwqs.exe" = 0
    • "rgjdu.exe" = 0
    • "explorer.exe" = 0
    • "spoolsv.exe" = 0
    • "rundll32.exe" = 0
    • "consent.exe" = 0
    • "svchost.exe" = 0

The trojan may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­Windows Defender]

The following services are disabled:

  • MpsSvc
Information stealing

The trojan collects the following information:

  • operating system version
  • information about the operating system and system settings
  • CPU information

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (4) URLs. The trojan generates various URL addresses.


The HTTP, TCP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • delete cookies
  • capture screenshots
  • set up a proxy server
  • perform DoS/DDoS attacks
  • start/stop services
  • make operating system unbootable

The trojan checks for Internet connectivity by trying to connect to the following servers:

  • google.com:80
  • bing.com:80
  • yahoo.com:80

To gain root access it uses one of these exploits:

  • CVE-2014-4113
  • CVE-2013-3660

The trojan keeps various information in the following files:

  • %localappdata%\­%variable1%.log
  • %localappdata%\­%variable2%.log
  • %localappdata%\­%variable3%.log
  • %localappdata%\­%variable4%.log
  • %localappdata%\­%variable5%.log
  • %localappdata%\­%variable6%.log
  • %localappdata%\­%variable7%.log
  • %localappdata%\­%variable8%.log

A string with variable content is used instead of %variable1-8% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.