Home / malware Trojan:WinNT/Ramnit.gen!A
First posted on 12 March 2013.
Source: MicrosoftAliases :
Trojan:WinNT/Ramnit.gen!A is also known as Backdoor/Win32.Rootkit (AhnLab), W32/Ramnit.M (Command), Trojan.Rmnet.2 (Dr.Web), Win32/Ramnit.L (ESET), RootKit.Win32.Ramnit.a (Rising AV), Troj/Rootkit-JV (Sophos), RTKT_RAMNIT.KC (Trend Micro).
Explanation :
Installation
Trojan:WinNT/Ramnit.gen!A is dropped by other variants of the Ramnit family to the %TEMP% folder as a system file (.SYS) with a random name, for example "qxcouvmc.sys". In the wild, we have observed Trojan:Win32/Ramnit.A dropping this trojan.
Payload
Disables or prevents your antivirus and security products from working properly
Trojan:WinNT/Ramnit.gen!A hooks the following APIs to prevent security products from detecting other components of the Ramnit family:
- ZwCreateKey
- ZwCreateKeyTransacted
- ZwOpenKey
- ZwOpenKeyEx
- ZwOpenKeyTransacted
- ZwOpenKeyTransactedEx
Trojan:WinNT/Ramnit.gen!A also receives a list of security products from other components of the Ramnit family, for example, Trojan:Win32/Ramnit.A. Trojan:WinNT/Ramnit.gen!A then kills those products on the list.
Related encyclopedia entries
Win32/Ramnit
Trojan:Win32/Ramnit.A
Analysis by Tim Liu
Last update 12 March 2013
