Home / malware

PDF

Trojan:Win32/Ramnit.A

First posted on 15 February 2019.
Source: Microsoft

Aliases :

Trojan:Win32/Ramnit.A is also known as Wi-Trojan/Downloader.32768.UI, W32/Downldr2.IWUS, TR/Dldr.FakeAV.mkn, Win32/IRCBot.AIM, Win32/Agent.ODM, Troja-Downloader.Win32.FraudLoad.gpn, Generic FakeAlert!gv, W32/Smalltroj.YDYV, Trj/Zlob.KH, Mal/FakeAV-CH, Backdoor.IRC.Bot, TROJ_FRAUDLO.LH, Trojan.DL.FraudLoad.AASG, BackDoor.Firepass.23, Virtool:Win32/Obfuscator.FW.

Explanation :

Installation Trojan:Win32/Ramnit.A can be downloaded as one of the following files:   crypt_abuzamnet.info_original.exe crypt_new_ca_g1_enc.exe crypt_new_ca_g2.exe new_uk3.exe install.exe_crypted.exe   It copies itself as one of the following: ooyaka.exe %ProgramFiles% Microsoftdesktoplayer.exe

It modifies the following registry entry so that it runs each time you start your PC:

In subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
Sets value: "Userinit"
With data: "%windir%system32userinit.exe,"

Payload Gives a malicious hacker access to your PC   The trojan opens TCP ports and connects to a remote server, such as "abuzamnet.info", using another TCP port to receive commands from a malicious hacker. Instructions can include downloading and running other files, including malware.   Analysis by Patrick Nolan

Last update 15 February 2019

 

TOP