Home / malware Trojan:Win32/Ramnit.gen!A
First posted on 15 February 2019.
Source: MicrosoftAliases :
Trojan:Win32/Ramnit.gen!A is also known as Win-Trojan/Ramnit.163897, W32/Ramnit.H.gen!Eldorado, Packed.Win32.Krap.ar, PWS-Zbot.gen.di, Worm.Win32.Undef.pe, Troj/Krap-AA, Packed.Protexor!gen1.
Explanation :
Trojan:Win32/Ramnit.gen!A is a generic detection for a trojan component of the Win32/Ramnit family. The malware uses the infection function of certain variants of Virus:Win32/Ramnit famiy, for example, Virus:Win32/Ramnit.AB.
The trojan spreads by infecting files with certain file extensions. It also injects code into certain processes, and communicates with a remote server to receive certain instructions. InstallationUpon execution, Trojan:Win32/Ramnit.gen!A drops a randomly named file as the following: %ProgramFiles%.exe (for example, "%ProgramFiles%hxgxhjmwpexkrjsn.exe")The trojan then modifies registry data to run the trojan copy at each Windows start. In subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon
Sets value: "Userinit"
With data: "userinit.exe,,%ProgramFiles% " Trojan:Win32/Ramnit.gen!A injects malicious code into certain processes including, but not limited to, the following: iexplore.exe alg.exe winlogon.exe svchost.exe services.exe explorer.exe msieexec.exe Payload Infects filesTrojan:Win32/Ramnit.gen!A searches for, and infects, files with the file extensions ".exe", ".htm" and ".html". The infected files may be detected as Virus:Win32/Ramnit.B and Virus:VBS/Ramnit.B. Communicates with a remote serverTrojan:Win32/Ramnit.gen!A connects to a remote server to download and receive instructions. One particular sample of Trojan:Win32/Ramnit.gen!A is known to connect to the following server: ytioghfdghvcfgbgvdf.com Analysis by Jim Wang Last update 15 February 2019
