Win32/Ramnit [Threat Name] go to Threat
Win32/Ramnit.L [Threat Variant Name]
|Detection created||May 23, 2011|
|Signature database version||6145|
Win32/Ramnit.L is a file infector. It uses techniques common for rootkits.
When executed, the virus copies itself into the following location:
The virus creates the following files:
Installs the following system drivers (path, name):
- %temp%\%variable2%.sys, "Microsoft Windows Service"
A string with variable content is used instead of %variable1-3% .
The virus may create and run a new thread with its own program code within any running process.
The virus acquires data and commands from a remote computer or the Internet. The virus contains a list of addresses.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- update itself to a newer version
- delete cookies
- delete Registry entries
- capture screenshots
The virus opens TCP port 4678 .
Win32/Ramnit.L can infect executable files.
The virus infects the files with program code that is downloaded from the Internet.
The virus hooks the following Windows APIs:
- ZwWriteVirtualMemory (ntdll.dll)
- ZwOpenKey (ntoskrnl.exe)
- ZwOpenKeyEx (ntoskrnl.exe)
- ZwOpenKeyTransacted (ntoskrnl.exe)
- ZwOpenKeyTransactedEx (ntoskrnl.exe)
- ZwCreateKey (ntoskrnl.exe)