Win32/RAMNIT.A Anyone?

Discussion in 'Virus Information' started by David Kaye, Jul 27, 2010.

  1. David Kaye

    David Kaye Guest

    Sorry about the crosspost to ba.internet, but I know there are malware experts
    out there.

    Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm having a devil of a
    time removing it. The only tool the detects it consistently is MS Security
    Essentials, and MSSE keeps counting it and "disinfecting" it.

    I'm not sure if it's a virus or a worm. MSSE says it's a virus, but I can't
    figure out what's launching it.

    I have eliminated one rootkit and subsequent scans show no more rootkits.
    This thing has dropped startup payloads into the StartUp folder, into the Run
    keys, into Prefetch, and it masquerades as everything from random 4-letter
    clusters to names like "Microsoft Suite", etc.

    It also captures the date when Windows was first installed, so I can't
    reliably search for the thing via date, either.

    Whenever MSSE detects a new round of infections (15, 78, all kinds of counts)
    the infections are in everything from drivers to executables in all kinds of
    directories.

    At the moment I'm running the computer in safe mode with no Internet and MSSE
    is not detecting any more Ramnit. I've scanned it 3 times. But as soon as I
    go back into regular mode and get an Internet connection back up it'll start
    infecting again.

    Oh, and I've reset the Winsock stack twice just in case there's a little
    wedgie in there. Still comes back.

    Any help would be most appreciated. You can reach me directly by email. The
    address is valid.

    Thanks.
     
    David Kaye, Jul 27, 2010
    #1
    1. Advertisements

  2. David Kaye

    David Kaye Guest

    I do this professionally as well. I asked *specifically* for comments from
    people who have *experience* with this threat. I used MalwareBytes
    Antimalware several times including the complete disk scan for 2 1/2 hours.
    It did not detect anything.

    Again, I'm interested in hearing only from people who have *experience* with
    Win32.Ramnit.A

    Thank you.
     
    David Kaye, Jul 27, 2010
    #2
    1. Advertisements

  3. From: "David Kaye" <>

    | Sorry about the crosspost to ba.internet, but I know there are malware experts
    | out there.

    | Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm having a devil of a
    | time removing it. The only tool the detects it consistently is MS Security
    | Essentials, and MSSE keeps counting it and "disinfecting" it.

    | I'm not sure if it's a virus or a worm. MSSE says it's a virus, but I can't
    | figure out what's launching it.

    | I have eliminated one rootkit and subsequent scans show no more rootkits.
    | This thing has dropped startup payloads into the StartUp folder, into the Run
    | keys, into Prefetch, and it masquerades as everything from random 4-letter
    | clusters to names like "Microsoft Suite", etc.

    | It also captures the date when Windows was first installed, so I can't
    | reliably search for the thing via date, either.

    | Whenever MSSE detects a new round of infections (15, 78, all kinds of counts)
    | the infections are in everything from drivers to executables in all kinds of
    | directories.

    | At the moment I'm running the computer in safe mode with no Internet and MSSE
    | is not detecting any more Ramnit. I've scanned it 3 times. But as soon as I
    | go back into regular mode and get an Internet connection back up it'll start
    | infecting again.

    | Oh, and I've reset the Winsock stack twice just in case there's a little
    | wedgie in there. Still comes back.

    | Any help would be most appreciated. You can reach me directly by email. The
    | address is valid.

    | Thanks.


    What is the fully qualified name and path to the file deemed infected with RAMNIT.A and
    did you capture a copy of this malware ?
     
    David H. Lipman, Jul 27, 2010
    #3
  4. David Kaye

    David Kaye Guest

    There are a bunch of folders named such things as FUEM and AVAX, with exes
    under them with randomly generated 4 and 5 character letters. These are under
    the user's temp folder. They do not occur when using the admin account.

    Additionally, there is a folder under Program Files with the name Microsoft,
    and the exe is called Desktoplayer.exe. This exe is launched via the same
    registry entry that launches UserInit.

    Reducing the string so that it launches only UserInit and removing the files
    mentioned here under safe mode won't stop them from being re-created the next
    time I boot into regular mode.

    I removed MSSE and installed Avast instead because MSSE kept noting the
    infections, dealt with them, and then more kept appearing seconds later.
    Under Avast, a 2-hour scan revealed 4300 infected files. I couldn't move them
    all to quarantine so I had to erase some. Unfortunately, this affected some
    critical app files (not Windows OS files, though). So, Firefox crashes, IE
    wants the Office install disk, Picassa hangs, etc.

    Also, the Explorer search feature has the doggie but no text boxes for
    searching, and menu items are missing.

    Thus, it looks like the OS is hosed, so I'll have to reinstall. Only trouble
    is that this customer has a boatload of Word docs, spreadsheets, jpgs, mp3s
    and whatnot. I'm hoping that the docs and xls's aren't infected with malware
    macros.

    This problem was first talked about in January apparently at Trend, but I
    don't see much else in reference to it until 3 days ago, and there are a bunch
    of forums where people are getting this infection. So, it looks like we're
    right at the cusp of a major outbreak.

    It's annoying as hell. In over 8 years of doing malware repair this is in the
    top 2 for awfulness.

    I think the customer got the infection via maybe Limewire, a torrent or
    the Bang Bros porn website (or maybe from a link to it) because the logs
    indicate similar datestamps to the first date stamps on the malware.

    Oh, and the first thing I did was manually roll back the registry using a CD
    boot disk. There were about 3 dozen entries. I rolled it back about halfway
    (about 15 restore points) earlier, which took it to July 13. So, the
    infection must have been there prior to that. When I went back to manually
    roll back further, I noticed that the malware had deleted every restore point
    (snapshot) except the latest 3. I ran an undelete CD on it and couldn't find
    where the other restore points went, so they were probably overwritten.

    I'm going to bed.
     
    David Kaye, Jul 27, 2010
    #4
  5. David Kaye

    Virus Guy Guest

    If at all physically possible, the standard proceedure for insuring that
    any hard drive is free of malware (trojans, viruses, rootkits, spyware,
    etc) is to remove the drive and connect it as a slave to a known/good
    computer that has competent anti-malware software on it.

    The suspect drive can then be scanned in a way that insures that any
    malware on it is not operational and therefore not actively thwarting
    the scanning and file-quarantine processes in any way.
     
    Virus Guy, Jul 27, 2010
    #5
  6. David Kaye

    P.A. Toot Guest

    Condescending bottom posting bottom feeding jerk.
    :
    : >A friend of mine that does virus removal as part of his business swears
    : >by MalwareBytes
    :
    : I do this professionally as well. I asked *specifically* for comments
    from
    : people who have *experience* with this threat. I used MalwareBytes
    : Antimalware several times including the complete disk scan for 2 1/2
    hours.
    : It did not detect anything.
    :
    : Again, I'm interested in hearing only from people who have *experience*
    with
    : Win32.Ramnit.A
    :
    : Thank you.
    :
     
    P.A. Toot, Jul 27, 2010
    #6
  7. David Kaye

    jcdill Guest

    No experience, but if I were in your shoes I'd start here:

    <http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_26343474.html>

    jc
     
    jcdill, Jul 27, 2010
    #7
  8. David Kaye

    David Kaye Guest

    Been there, done that. Thanks anyway. I'm reinstalling Windows and the
    programs this afternoon. I hate to do that. Oh well.
     
    David Kaye, Jul 27, 2010
    #8
  9. David Kaye

    David Kaye Guest

    Already did that. Jeez, you guys are no help whatsoever. Thanks for nothing,
    friends. The only responses I've gotten are about things I've already done.
    As stated here earlier, I am a professional who has been doing this stuff for
    8+ years. This is why I've asked specifically for someone who has experience
    with THIS PARTICULAR infestation.
     
    David Kaye, Jul 27, 2010
    #9
  10. From: "jcdill" <>


    | No experience, but if I were in your shoes I'd start here:

    | <http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_26343474.html>

    The problem is that may not be the same based upon the !HTML suffix which infers HTML code
    and possibly exploitation rather than the actual infection.
     
    David H. Lipman, Jul 27, 2010
    #10
  11. From: "David Kaye" <>


    | Already did that. Jeez, you guys are no help whatsoever. Thanks for nothing,
    | friends. The only responses I've gotten are about things I've already done.
    | As stated here earlier, I am a professional who has been doing this stuff for
    | 8+ years. This is why I've asked specifically for someone who has experience
    | with THIS PARTICULAR infestation.


    Then Dave, state what you have done when you make an intial post!
     
    David H. Lipman, Jul 27, 2010
    #11
  12. David Kaye

    David Kaye Guest

    I've already stated most of what I've done in two previous posts. I've been
    posting in these newsgroups for some time, so people are well aware that I'm
    not a newbie to this stuff.

    I'm not looking for speculation, I'm looking for real experience with this
    specific infection, since it's very different from anything I've encountered
    before.

    I'm surprised that nobody here has seen it before. Does this mean that I'm
    the only one who sees these kinds of things? If so, does that mean that most
    of the people on here have no real-world experience with malware? That's what
    the situation appears to be so far.

    Sure you, David, must have experienced Win32/Ramnit.A in the 6 months since it
    launched. Or instead of being behind the curve on this infection, I'm
    actually far ahead of the curve?
     
    David Kaye, Jul 27, 2010
    #12
  13. David Kaye

    Steve Pope Guest

    It may be that MSE calls it "Ramnit.A", but other products have
    different names for it which is why nobody has seen it.

    Steve
     
    Steve Pope, Jul 27, 2010
    #13
  14. From: "David Kaye" <>


    | I've already stated most of what I've done in two previous posts. I've been
    | posting in these newsgroups for some time, so people are well aware that I'm
    | not a newbie to this stuff.

    | I'm not looking for speculation, I'm looking for real experience with this
    | specific infection, since it's very different from anything I've encountered
    | before.

    | I'm surprised that nobody here has seen it before. Does this mean that I'm
    | the only one who sees these kinds of things? If so, does that mean that most
    | of the people on here have no real-world experience with malware? That's what
    | the situation appears to be so far.

    | Sure you, David, must have experienced Win32/Ramnit.A in the 6 months since it
    | launched. Or instead of being behind the curve on this infection, I'm
    | actually far ahead of the curve?


    I have never heard of the "Ramnit" trojan. But, there are 100's of thousands out there
    and it isn't a major family/player.

    I was actually hoping you may have had a sample you could have uploaded to http://www.uploadmalware.com/

    BTW: I re-read this thread. Nowhere did I see anything about the removal of the hard
    disk and scanning it with a surrogate platform as suggested by Virus Guy. Whiles this can
    have drawbacks, it does have the propensity of removing protected malware.
     
    David H. Lipman, Jul 28, 2010
    #14
  15. It's a shame he couldn't provide you with a sample. His description of
    symptoms doesn't exactly match up with what this malware is/does. This
    could be new malware worm dropping ramnit.a as it finds new systems.
     
    FromTheRafters, Jul 28, 2010
    #15
  16. David Kaye

    Steve Pope Guest

    That could help the OP. Looks like the virus is a month or so old.
    It may not be the same morph that Sophos can clean, but it's a start.

    Steve
     
    Steve Pope, Jul 28, 2010
    #16
  17. From: "Ant" <>


    | Symantec wrote something about it in Jan this year. Apparently, it's a
    | worm that spreads through removable drives and infects executables (so
    | it's also a virus). Copies itself to the recycle bin and creates
    | autorun.inf files on all drives.

    | http://www.symantec.com/security_response/writeup.jsp?docid=2010-011922-2056-99

    | The Ramnit!html and Ramnit!inf designations were for html and inf
    | files infected by Ramnit.

    | What D. Kaye has is possibly a new variant.

    | Yes, if a sample was available I could probably discover exactly what
    | it did (given a little time). Anyway, since so many infected files
    | were reported in an earlier post it's just as well he's doing a wipe
    | and reinstall.


    Roger that - and thanx Ant.
     
    David H. Lipman, Jul 28, 2010
    #17
  18. David Kaye

    David Kaye Guest

    What kind of sample? A sample of the malware? I'm loathe to provide that; I
    don't want to be responsible for infecting any computers. I've already given
    some filenames and directories.

    But regardless of what names I provide, there is still something being
    launched that I'm unaware of that is rebuilding the files I see. As
    previously stated, I've removed the HD, scanned it for rootkits and malware
    and reinstalled it and the stuff comes back.

    Well, folks, thanks anyway. I'm just going to reinstall Windows, something I
    seldom have to do. It's got me beat and I can't spend any more time on this
    issue. I'm backed up in work again.
     
    David Kaye, Jul 28, 2010
    #18
  19. David Kaye

    David Kaye Guest

    I wouldn't call it a trojan at this point because I don't know that it was
    masquerading as anything else. It never showed a user interface. The
    symptoms were hosed Internet connections, redirects, and excessive HD access.

    It is either a virus or a worm. I can't figure out when it was originally
    downloaded because some executables took on the date/time the OS was
    originally installed, but I suspect it was concurrent with a Limewire or a
    torrent connection of some kind, judging by the log files.
     
    David Kaye, Jul 28, 2010
    #19
  20. David Kaye

    David Kaye Guest

    That's what they said in January, but this didn't act that way. I tested with
    a stick and it didn't even see it. It also appears to be looking for exe and
    dll files and attaches itself to them. MSSE apparently was able to remove the
    attachments, but Avast couldn't. Those were the only two anti-malware
    programs that even saw this.
    Unfortunately that's where I'm going to have to go, or at least reinstall the
    OS.
     
    David Kaye, Jul 28, 2010
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.