Win32/RAMNIT.A Anyone?
in [Viruses]
|
From: David H. Lipman on 10 Aug 2010 17:14 From: "John Navas" <spamfilter1(a)navasgroup.com> | On Tue, 10 Aug 2010 07:45:46 -0400, in | <i3re5e$jkc$1(a)news.eternal-september.org>, "FromTheRafters" | <erratic(a)nomail.afraid.org> wrote: >>"John Navas" <spamfilter1(a)navasgroup.com> wrote in message >>news:utd1665r4ab04coghfdir9rsn06cc3f5m8(a)4ax.com... >>> On Mon, 9 Aug 2010 20:39:32 -0400, in >>> <i3q747$ago$1(a)news.eternal-september.org>, "FromTheRafters" >>> <erratic(a)nomail.afraid.org> wrote: >>>>"John Navas" <spamfilter1(a)navasgroup.com> wrote in message >>>>news:8a5166l8harrijvc3lh42u24s9h0b8r01h(a)4ax.com... >>>>> I thought "this class of virus" would be specific enough, >>>>> but you're right that I should have been clearer, >>>>> and I thank you for the clarification. >>>>Just curious, what did you mean by 'this class of virus' and the >>>>infection of possibly needed executables? >>> I meant the class of virus that implants its own executable files, >>> and protects them from most methods of removal. Sorry for not being >>> more clear. >>That's okay. You are correct that self-contained replicator files can be >>deleted outright - there is nothing there that needs to be salvaged, but >>Ramnit.a actually modifies (infects/trojanizes) preexisting program >>files (although not with a replicant). | That depends on the actual problem, what the anti-virus system is or is | not able to remove and disinfect on its own. According to this report: | <http://www.threatexpert.com/report.aspx?md5=074a688443faea25c2589975069de044> | Win32/RAMNIT.A modifies few essential executables. My own experience | with Microsoft Security Essentials (cf OP) is that only non-essential | files are missed in this case. Do you have experience to the contrary? That ThreatExpert report is insuficient. Go back and read Ant's analysis based upon the Ramnit samples I provided him with. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: John Navas on 10 Aug 2010 17:17 On Tue, 10 Aug 2010 17:14:36 -0400, in <i3sh5907nh(a)news6.newsguy.com>, "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote: >From: "John Navas" <spamfilter1(a)navasgroup.com> > >| On Tue, 10 Aug 2010 07:45:46 -0400, in >| <i3re5e$jkc$1(a)news.eternal-september.org>, "FromTheRafters" >| <erratic(a)nomail.afraid.org> wrote: > >>>"John Navas" <spamfilter1(a)navasgroup.com> wrote in message >>>news:utd1665r4ab04coghfdir9rsn06cc3f5m8(a)4ax.com... >>>> On Mon, 9 Aug 2010 20:39:32 -0400, in >>>> <i3q747$ago$1(a)news.eternal-september.org>, "FromTheRafters" >>>> <erratic(a)nomail.afraid.org> wrote: > >>>>>"John Navas" <spamfilter1(a)navasgroup.com> wrote in message >>>>>news:8a5166l8harrijvc3lh42u24s9h0b8r01h(a)4ax.com... > >>>>>> I thought "this class of virus" would be specific enough, >>>>>> but you're right that I should have been clearer, >>>>>> and I thank you for the clarification. > >>>>>Just curious, what did you mean by 'this class of virus' and the >>>>>infection of possibly needed executables? > >>>> I meant the class of virus that implants its own executable files, >>>> and protects them from most methods of removal. Sorry for not being >>>> more clear. > >>>That's okay. You are correct that self-contained replicator files can be >>>deleted outright - there is nothing there that needs to be salvaged, but >>>Ramnit.a actually modifies (infects/trojanizes) preexisting program >>>files (although not with a replicant). > >| That depends on the actual problem, what the anti-virus system is or is >| not able to remove and disinfect on its own. According to this report: >| <http://www.threatexpert.com/report.aspx?md5=074a688443faea25c2589975069de044> >| Win32/RAMNIT.A modifies few essential executables. My own experience >| with Microsoft Security Essentials (cf OP) is that only non-essential >| files are missed in this case. Do you have experience to the contrary? > >That ThreatExpert report is insuficient. > >Go back and read Ant's analysis based upon the Ramnit samples I provided him with. In which of the 184 messages in this thread would those specifics be? -- John "Assumption is the mother of all screw ups." [Wethern�s Law of Suspended Judgement]
From: David H. Lipman on 10 Aug 2010 17:22 From: "John Navas" <spamfilter1(a)navasgroup.com> >>That ThreatExpert report is insuficient. >>Go back and read Ant's analysis based upon the Ramnit samples I provided him with. | In which of the 184 messages in this thread would those specifics be? Message-ID: <Z6mdnSdGNvB-rc_RnZ2dnUVZ8uCdnZ2d(a)brightview.co.uk> Message-ID: <R_udnfUgK5IE2snRnZ2dnUVZ8jMAAAAA(a)brightview.co.uk> -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: John Navas on 10 Aug 2010 17:33 On Tue, 10 Aug 2010 17:22:28 -0400, in <i3shk1080j(a)news6.newsguy.com>, "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote: >From: "John Navas" <spamfilter1(a)navasgroup.com> > >>>That ThreatExpert report is insuficient. > >>>Go back and read Ant's analysis based upon the Ramnit samples I provided him with. > >| In which of the 184 messages in this thread would those specifics be? > >Message-ID: <Z6mdnSdGNvB-rc_RnZ2dnUVZ8uCdnZ2d(a)brightview.co.uk> >Message-ID: <R_udnfUgK5IE2snRnZ2dnUVZ8jMAAAAA(a)brightview.co.uk> Thank you. That would seem to confirm what I wrote: It does NOT infect:- 1) Files in the windows directory and its subdirectories. -- John "Assumption is the mother of all screw ups." [Wethern�s Law of Suspended Judgement]
From: FromTheRafters on 10 Aug 2010 20:44
"John Navas" <spamfilter1(a)navasgroup.com> wrote in message news:3dp2669is92a9f58ai7nih728pi8164jpf(a)4ax.com... > On Tue, 10 Aug 2010 07:45:46 -0400, in > <i3re5e$jkc$1(a)news.eternal-september.org>, "FromTheRafters" > <erratic(a)nomail.afraid.org> wrote: > >>"John Navas" <spamfilter1(a)navasgroup.com> wrote in message >>news:utd1665r4ab04coghfdir9rsn06cc3f5m8(a)4ax.com... >>> On Mon, 9 Aug 2010 20:39:32 -0400, in >>> <i3q747$ago$1(a)news.eternal-september.org>, "FromTheRafters" >>> <erratic(a)nomail.afraid.org> wrote: >>> >>>>"John Navas" <spamfilter1(a)navasgroup.com> wrote in message >>>>news:8a5166l8harrijvc3lh42u24s9h0b8r01h(a)4ax.com... >>> >>>>> I thought "this class of virus" would be specific enough, >>>>> but you're right that I should have been clearer, >>>>> and I thank you for the clarification. >>>> >>>>Just curious, what did you mean by 'this class of virus' and the >>>>infection of possibly needed executables? >>> >>> I meant the class of virus that implants its own executable files, >>> and protects them from most methods of removal. Sorry for not being >>> more clear. >> >>That's okay. You are correct that self-contained replicator files can >>be >>deleted outright - there is nothing there that needs to be salvaged, >>but >>Ramnit.a actually modifies (infects/trojanizes) preexisting program >>files (although not with a replicant). > > That depends on the actual problem, what the anti-virus system is or > is > not able to remove and disinfect on its own. According to this > report: > <http://www.threatexpert.com/report.aspx?md5=074a688443faea25c2589975069de044> > Win32/RAMNIT.A modifies few essential executables. My own experience > with Microsoft Security Essentials (cf OP) is that only non-essential > files are missed in this case. Do you have experience to the > contrary? No, but I think I understand what you are saying now. |