Win32/RAMNIT.A Anyone?
in [Viruses]
|
From: Virus Guy on 28 Jul 2010 08:45 "David H. Lipman" wrote: > BTW: I re-read this thread. Nowhere did I see anything about the > removal of the hard disk and scanning it with a surrogate platform > as suggested by Virus Guy. Whiles this can have drawbacks, it does > have the propensity of removing protected malware. Perhaps one day, someone will write some Anti-malware software designed to properly scan the registry and MBR and determine an auto-run list for attached slaved drives.
From: David H. Lipman on 28 Jul 2010 19:18 From: "Ant" <not(a)home.today> | "David H. Lipman" wrote: >> I have never heard of the "Ramnit" trojan. But, there are 100's of >> thousands out there and it isn't a major family/player. | Symantec wrote something about it in Jan this year. Apparently, it's a | worm that spreads through removable drives and infects executables (so | it's also a virus). Copies itself to the recycle bin and creates | autorun.inf files on all drives. | http://www.symantec.com/security_response/writeup.jsp?docid=2010-011922-2056-99 | The Ramnit!html and Ramnit!inf designations were for html and inf | files infected by Ramnit. | What D. Kaye has is possibly a new variant. >> I was actually hoping you may have had a sample you could have >> uploaded to http://www.uploadmalware.com/ | Yes, if a sample was available I could probably discover exactly what | it did (given a little time). Anyway, since so many infected files | were reported in an earlier post it's just as well he's doing a wipe | and reinstall. Maybe I have some now Ant. http://www.virustotal.com/analisis/ded3dae323a909c4752fa135de72cdc00ce0da3d1a5fd715fe536105a4da8cac-1280356012 http://www.virustotal.com/analisis/08b348341fb2a24d0ddf765afe7fedb171cdd7ab9dcfa5aab5dc6bfa3b2ce797-1280350307 I'll PM 'ya. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: John Slade on 29 Jul 2010 00:41 On 7/27/2010 11:17 PM, RJK wrote: > > > "David H. Lipman" <DLipman~nospam~@Verizon.Net > <mailto:DLipman~nospam~@Verizon.Net>> wrote in message > news:i2o47d0214h(a)news2.newsguy.com... > From: "russg" <russgilb(a)sbcglobal.net <mailto:russgilb(a)sbcglobal.net>> > > | snip stuff about experienced posters only. > > | I come here to learn, and there are some experts here. The OP > | considers himself an expert and only wants > | talk to experts. I would say his final approach of wiping and re- > | installing the OS (which he didn't mention), > | but first trying to save .docs, mp3 and other important files, is the > | only solution. I learned that RAMNIT.A > | is a PE infector, infects other known files, like IE. Here's some > | info at sophos.com: > > | > http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_from= > | rss > > | The OP knows the name of the malware, so he must have submitted a > | sample somewhere. > > From Dave's first post... > "Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm having a > devil of a > time removing it. The only tool the detects it consistently is MS > Security > Essentials, and MSSE keeps counting it and "disinfecting" it." > > He didn't submit a sample somewhere, MSE scanned the system, > detected it > (Win32/RAMNIT.A ), but MSE failed to full remove and clean the > system of it. Dave also > indicated he tried Avast to no avail. > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > Having cast my eye through this post, I think I would have given > PrevX a go :-) > ...and having read > http://www.symantec.com/security_response/writeup.jsp?docid=2008-011517-3725-99 > > ...I think (seeing as Sophos is armed against it), I'd try Sophos > CLS from Bart PE cd :-) > > regards, Richard > > It seems the information I found on this worm is that it probably hides in the "system volume information" folder that is "read only" and "hidden" by default. The worm just keeps getting reinstalled and can't be cleaned unless the permissions are changed for that folder. The information on this site links to instructions for cleaning RAMNIT.A. http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=81059 This links to information on how to disable "system restore" in order to remove the infection. It may be possible to use some offline scanner like BitDefender to remove the worm but it's better done in Windows. John
From: David Kaye on 29 Jul 2010 03:46 TBerk <bayareaberk(a)yahoo.com> wrote: >Haven't yet found the beastie this procedure wouldn't clean w/o >reformatting a drive. I didn't have to reformat; I reinstalled using the file overwrite method (the one that doesn't destroy the registry) after running several rootkit removers and being certain there were no rootkits. Ramnit destroyed over 4000 executables (exe and dll), so it was inevitable that I'd have to reinstall the OS. Project completed. The computer runs like new. >If I have time, I go though with it. if It's more expedient to wipe >the drive I just harvest data, and reinstall the OS. But I prefer the >'thrill of the hunt' so to speak. When one does this professionally it's not the thrill of the hunt but keeping the client as happy as possible in the least amount of time. This means, disturbing as little of their experience as possible -- keeping their wallpaper and all their other user interface experiences as close as to what they were before infection. In over 8 years doing this fulltime I've only had to reformat maybe 4 times. I've had to reinstall the OS about 10 times. But this one really caught me by surprise.
From: David H. Lipman on 29 Jul 2010 06:24
From: "John Slade" <hhitman86(a)pacbell.net> | On 7/27/2010 11:17 PM, RJK wrote: >> "David H. Lipman" <DLipman~nospam~@Verizon.Net >> <mailto:DLipman~nospam~@Verizon.Net>> wrote in message >> news:i2o47d0214h(a)news2.newsguy.com... >> From: "russg" <russgilb(a)sbcglobal.net <mailto:russgilb(a)sbcglobal.net>> >> | snip stuff about experienced posters only. >> | I come here to learn, and there are some experts here. The OP >> | considers himself an expert and only wants >> | talk to experts. I would say his final approach of wiping and re- >> | installing the OS (which he didn't mention), >> | but first trying to save .docs, mp3 and other important files, is the >> | only solution. I learned that RAMNIT.A >> | is a PE infector, infects other known files, like IE. Here's some >> | info at sophos.com: >> | >> >> http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_from= >> | rss >> | The OP knows the name of the malware, so he must have submitted a >> | sample somewhere. >> From Dave's first post... >> "Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm having a >> devil of a >> time removing it. The only tool the detects it consistently is MS >> Security >> Essentials, and MSSE keeps counting it and "disinfecting" it." >> He didn't submit a sample somewhere, MSE scanned the system, >> detected it >> (Win32/RAMNIT.A ), but MSE failed to full remove and clean the >> system of it. Dave also >> indicated he tried Avast to no avail. >> -- >> Dave >> http://www.claymania.com/removal-trojan-adware.html >> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp >> Having cast my eye through this post, I think I would have given >> PrevX a go :-) >> ...and having read >> http://www.symantec.com/security_response/writeup.jsp?docid=2008-011517-3725-99 >> ...I think (seeing as Sophos is armed against it), I'd try Sophos >> CLS from Bart PE cd :-) >> regards, Richard | It seems the information I found on this worm is that it | probably hides in the "system volume information" folder that is | "read only" and "hidden" by default. The worm just keeps getting | reinstalled and can't be cleaned unless the permissions are | changed for that folder. The information on this site links to | instructions for cleaning RAMNIT.A. | http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=81059 | This links to information on how to disable "system | restore" in order to remove the infection. It may be possible to | use some offline scanner like BitDefender to remove the worm but | it's better done in Windows. Sorry, you are mis-interpreting the information. Malware doesn't "hide" in the "system volume information" folder. That is where the System Resore cache resides. What they are talking about is removing restore points such that you won't re-infect the PC if you restore the PC from a restore point that had made in an infected condition. Howver, I have learned that ist is NOT a good idea to dump the System Restore cache while cleaning a PC. It is better to have an infected, working, PC than to have a a PC that may be unstable and you can't restore the PC to a stable but infected condition. Once the PC is thouroughly cleaned and verified and is stable then you you can dump the System Restore cache. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |