Home / malwarePDF  

Trojan:Win32/Ramnit.A


First posted on 10 November 2010.
Source: SecurityHome

Aliases :

Trojan:Win32/Ramnit.A is also known as Wi-Trojan/Downloader.32768.UI (AhnLab), W32/Downldr2.IWUS (Authentium (Command)), TR/Dldr.FakeAV.mkn (Avira), Win32/IRCBot.AIM (CA), Win32/Agent.ODM (ESET), Troja-Downloader.Win32.FraudLoad.gpn (Kaspersky), Generic FakeAlert!gv (McAfee), W32/Smalltroj.YDYV (Norman), Trj/Zlob.KH (Panda), Mal/FakeAV-CH (Sophos), Backdoor.IRC.Bot (Symantec), TROJ_FRAUDLO.LH (Trend Micro), Trojan.DL.FraudLoad.AASG (VirusBuster), BackDoor.Firepass.23 (Dr.Web), Virtool:Win32/Obfuscator.FW (other).

Explanation :

Trojan:Win32/Ramnit.A is a trojan that allows limited remote access and control to an affected computer.
Top

Trojan:Win32/Ramnit.A is a trojan that allows limited remote access and control to an affected computer. Installation Trojan:Win32/Ramnit.A may have been downloaded or distributed in April and May 2010 from various websites, such as IP address 92.60.177.253. It may have been downloaded as one of the following files:

  • crypt_abuzamnet.info_original.exe
  • crypt_new_ca_g1_enc.exe
  • crypt_new_ca_g2.exe
  • new_uk3.exe
  • install.exe_crypted.exe
    • When executed, Trojan:Win32/Ramnit.A copies itself as one of the following: <system folder>\booyaka.exe %Program Files%\Microsoft\desktoplayer.exe Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. The malware appends registry data to ensure that its copy executes at each Windows start: In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Sets value: "Userinit" With data: "%windir%\system32\userinit.exe,<trojan file name>," where the original data was: "%windir%\system32\userinit.exe," Payload Allows limited remote access and control The trojan opens TCP ports and connects to a remote server, such as "abuzamnet.info", using another TCP port to receive commands from an attacker. Instructions could include the downloading and execution of arbitrary malware.

    Analysis by Patrick Nolan

    Last update 10 November 2010

     

    TOP

    Malware :

    Family: