Home / malware

PDF

Virus:Win32/Ramnit.A

First posted on 15 February 2019.
Source: Microsoft

Aliases :

Virus:Win32/Ramnit.A is also known as Type_Win32, Win32/Zbot.A, W32/Infector.Gen2, Win32/Ramnit.A, Win32.Rmnet, W32.Infector, W32/Ramnit.a, W32/Patched-I, PE_RAMNIT.A.

Explanation :

Installation

When the virus runs, it drops a file as "Srv.exe" (for example, "mytestSvr.exe"), where is the file name of the infected executable. The dropped file is then run.

This file might be detected as Worm:Win32/Ramnit.A.

Spreads through…

Infects files

Virus:Win32/Ramnit.A infects .HTML files with .HTML or .HTM extensions. The infected .HTML or .HTM files might be detected as Virus:VBS/Ramnit.A.

Payload

Allows backdoor access and control / Connects to remote server

Virus:Win32/Ramnit.A creates a backdoor by connecting to a remote server. Using this backdoor, a remote hacker can perform any number of actions, including downloading and running files on the infected PC.

See the description for Worm:Win32/Ramnit.A for more details on how the malware downloads and runs files.

Injects code

The virus creates a default web browser process (which you won't be able to see) and injects code into it.

It might do this as a way to avoid detection and make it more difficult to remove from an infected PC.

Analysis by Chun Feng

Last update 15 February 2019

 

TOP