Home / malware

PDF

Virus:Win32/Ramnit.G

First posted on 03 January 2020.
Source: Microsoft

Aliases :

Virus:Win32/Ramnit.G is also known as W32/Ramnit.C, Virus.Win32.Nimnul.a, W32/Ramnit.a, Win32.Ramnit.Gen, Win32/Zbot.E, W32/Infector.Gen2, Win32.Ramnit, Win32/Ramnit.A, Win32.Rmnet, Win32/Ramnit.E, Virus.Win32.Nimnul, W32/Ramnit.a, W32/Cosmu.gen, Win32.Ramnit.a, W32/Patched-I, Virus.Win32.Ramnit.a, W32.Ramnit!inf, PE_RAMNIT.H more.

Explanation :

Virus:Win32/Ramnit.G is a detection for a virus that infects Windows executable files and HTML files, and spreads to removable drives. The virus attempts to open a backdoor and wait for instructions. Installation When executed, the virus drops a file as "Srv.exe" (for example, "mytestSvr.exe"), where is the file name of the infected executable. The dropped file is then executed. This file may be detected as Worm:Win32/Ramnit.A.   Virus:Win32/Ramnit.G also drops itself as "watermark.exe" under directory %program_files%microsoft, which, when launched,  will inject code into svchost.exe. The malware also makes the following registry modification: In subkey: "Userinit"Sets value: "userinit.exe,,%program_files%microsoftwatermark.exe"With data: HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon Spreads via… Infects files Virus:Win32/Ramnit.G also infects .HTML files with .HTML or .HTM extension. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.B. Payload Allows backdoor access and control Virus:Win32/Ramnit.G creates a backdoor by connecting to a remote server. Using this backdoor, a remote attacker can instruct an affected computer to download and execute files.   In the wild, we have observed the malware contacting the following domains for this purpose:  zahlung.name tybdtyutjfyvetscev.com ervwetyrbuyouiylkdhrbt.com wervynuuyjhnbvfservdy.com tybsyiutnrtvtybdrser.com   Analysis by Tim Liu

Last update 03 January 2020

 

TOP