Home / malware Virus:Win32/Ramnit.A
First posted on 13 August 2010.
Source: SecurityHomeAliases :
Virus:Win32/Ramnit.A is also known as Type_Win32 (Kaspersky), Win32/Zbot.A (AVG), W32/Infector.Gen2 (Avira), Win32/Ramnit.A (CA), Win32.Rmnet (Dr.Web), W32.Infector (Ikarus), W32/Ramnit.a (McAfee), W32/Patched-I (Sophos), PE_RAMNIT.A (Trend Micro).
Explanation :
Virus:Win32/Ramnit.A is a detection for a virus that infects Windows executable files and HTML files, and spreads to removable drives. The virus attempts to open a backdoor and wait for instructions.
Top
Virus:Win32/Ramnit.A is a detection for a virus that infects Windows executable files and HTML files, and spreads to removable drives. The virus attempts to open a backdoor and wait for instructions. When executed, the virus drops a file as "<file_name>Srv.exe" (for example, "mytestSvr.exe"), where <file_name> is the file name of the infected executable. The dropped file is then executed. This file may be detected as Worm:Win32/Ramnit.A. Spreads via€¦ Infects files Virus:Win32/Ramnit.A also infects .HTML files with .HTML or .HTM extension. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Payload Allows backdoor access / Connects to remote server Virus:Win32/Ramnit.A creates a backdoor by connecting to a remote server. Using this backdoor, a remote attacker can instruct an affected computer to download and execute files. See the description for Worm:Win32/Ramnit.A for more details on how the malware downloads and executes arbitrary files. Injects codeThe virus creates a default web browser process (which is invisible to users) and injects code to it. The infection and backdoor functionality occurs in the web browser process context, presumably for the purpose of bypassing a firewall.
Analysis by Chun FengLast update 13 August 2010