Win32/Ramnit [Threat Name] go to Threat

Win32/Ramnit.C [Threat Variant Name]

Category virus
Size 78336 B
Detection created Oct 11, 2010
Signature database version 5521
Aliases Backdoor.Win32.IRCNite.bfq (Kaspersky)
  Worm:Win32/Ramnit.A (Microsoft)
  W32.Ramnit (Symantec)
Short description

Win32/Ramnit.C is a file infector.

Installation

When executed, the virus copies itself in some of the the following locations:

  • %programfiles%\­Microsoft\­DesktopLayer.exe
  • %commonprogramfiles%\­Microsoft\­DesktopLayer.exe
  • %homedrive%%homepath%\­Microsoft\­DesktopLayer.exe
  • %appdata%\­Microsoft\­DesktopLayer.exe
  • %system%\­Microsoft\­DesktopLayer.exe
  • %windir%\­Microsoft\­DesktopLayer.exe
  • %temp%\­Microsoft\­DesktopLayer.exe

In order to be executed on every system start, the virus sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%originalvalue%,%malwarefilepath%"

The virus may create the following files:

  • %currentfolder%\­%originalfilename%Srv.exe (79336 B, Win32/Ramnit.C)
  • %temp%\­svchost.exe (79336 B, Win32/Ramnit.C)

The virus creates and runs a new thread with its own program code within the following processes:

  • %system%\­svchost.exe
  • %programfiles%\­Internet Explorer\­iexplore.exe
Executable file infection

The virus searches local drives for files with the following file extensions:

  • .exe
  • .dll

It avoids files which contain any of the following strings in their path:

  • RMNetwork

Files are infected by adding a new section that contains the virus .


The host file is modified in a way that causes the virus to be executed prior to running the original code.


The size of the inserted code is 79872 B .

File infection

The virus searches local drives for files with the following file extensions:

  • .htm
  • .html

It avoids files which contain any of the following strings in their path:

  • RMNetwork

The virus writes the program code of the malware into the file.

Information stealing

The virus collects the following information:

  • CPU information
  • operating system version

The virus attempts to send gathered information to a remote machine.

Other information

The virus acquires data and commands from a remote computer or the Internet.


The virus contains a list of (4) URLs.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • set up a proxy server
  • capture screenshots
  • send gathered information

The virus checks for Internet connectivity by trying to connect to the following addresses:

  • google.com:80
  • bing.com:80
  • yahoo.com:80

The virus may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE]
  • [HKEY_LOCAL_MACHINE\­SYSTEM]
  • [HKEY_LOCAL_MACHINE\­HARDWARE]
  • [HKEY_CURRENT_USER\­Software]

The virus may cause the operating system to crash.


The virus may turn off the computer.

Please enable Javascript to ensure correct displaying of this content and refresh this page.