Win32/Ramnit [Threat Name] go to Threat

Win32/Ramnit.BX [Threat Variant Name]

Category virus
Detection created Oct 05, 2015
Signature database version 12358
Aliases Trojan:Win32/Ramnit.gen!A (Microsoft)
  Win32.Rmnet.16 (Dr.Web)
  Win32:RamnitPlugin-A (Avast)
Short description

The virus is a malicious Win32/Ramnit extension/plugin. The virus is usually a part of other malware. The file is run-time compressed using UPX .

Installation

The virus does not create any copies of itself.

Executable file infection

Win32/Ramnit.BX can infect executable files.


The virus searches local drives for executable files to infect.


The virus also searches for executables in shared folders of remote machines.


The virus searches for executables with one of the following extensions:

  • .exe
  • .dll

If a folder name matches one of the following strings, files inside it are not infected:

  • c:\­windows

Several other criteria are applied when choosing a file to infect.


Files are infected by adding a new section that contains the virus .


The host file is modified in a way that causes the virus to be executed prior to running the original code.


The virus infects the files with program code that is downloaded from the Internet.

Information stealing

The virus collects the following information:

  • cookies
  • FTP account information
  • user name
  • operating system version
  • language settings

The following programs are affected:

  • Internet Explorer
  • Mozilla Firefox
  • Opera
  • Flash Player
  • Safari
  • Google Chrome
  • Far Manager
  • Total Commander
  • Windows Commander
  • WS_FTP
  • CuteFTP
  • FlashFXP
  • FileZilla
  • FTP Commander
  • BulletProof FTP
  • SmartFTP
  • TurboFTP
  • FFFTP
  • Core FTP
  • FTP Explorer
  • Frigate3
  • Web Site Publisher
  • Classic FTP
  • Fling FTP Software
  • SoftX FTP
  • Directory Opus
  • LeapFtp
  • WinSCP
  • 32bit FTP
  • Ftp Control
  • NetDrive

The virus can send the information to a remote machine.

Other information

The virus acquires data and commands from a remote computer or the Internet.


The virus opens TCP port 23 .


It can execute the following operations:

  • infect files on local computer
  • send requested files
  • upload file list
  • download files from a remote computer and/or the Internet
  • run executable files

The virus can be used to gain full access to the compromised computer.


The virus hooks the following Windows APIs:

  • NtCreateUserProcess (ntdll.dll)
  • NtCreateThread (ntdll.dll)
  • OpenInputDesktop (user32.dll)
  • SwitchDesktop (user32.dll)
  • DefWindowProcW (user32.dll)
  • DefWindowProcA (user32.dll)
  • DefDlgProcW (user32.dll)
  • DefDlgProcA (user32.dll)
  • DefFrameProcW (user32.dll)
  • DefFrameProcA (user32.dll)
  • DefMDIChildProcW (user32.dll)
  • DefMDIChildProcA (user32.dll)
  • CallWindowProcW (user32.dll)
  • CallWindowProcA (user32.dll)
  • RegisterClassW (user32.dll)
  • RegisterClassA (user32.dll)
  • RegisterClassExW (user32.dll)
  • RegisterClassExA (user32.dll)
  • BeginPaint (user32.dll)
  • EndPaint (user32.dll)
  • GetDCEx (user32.dll)
  • GetDC (user32.dll)
  • GetWindowDC (user32.dll)
  • ReleaseDC (user32.dll)
  • GetUpdateRect (user32.dll)
  • GetUpdateRgn (user32.dll)
  • GetMessagePos (user32.dll)
  • GetCursorPos (user32.dll)
  • SetCursorPos (user32.dll)
  • SetCapture (user32.dll)
  • ReleaseCapture (user32.dll)
  • GetCapture (user32.dll)
  • GetMessageW (user32.dll)
  • GetMessageA (user32.dll)
  • PeekMessageW (user32.dll)
  • PeekMessageA (user32.dll)

The virus may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Adobe\­Adobe ARM\­1.0\­ARM]
    • "iCheckReader" = 3
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­JavaSoft\­Java Update\­Policy]
    • "EnableJavaUpdate" = 1
    • "EnableAutoUpdateCheck" = 1
    • "NotifyDownload" = 0
    • "NotifyInstall" = 1

The virus keeps various information in the following files:

  • %localappdata%\­%variable1%.log
  • %localappdata%\­%variable2%.log
  • %userprofile%\­%variable2%.log
  • %homedrive%%hompath%\­%variable1%.log

A string with variable content is used instead of %variable1-2% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.