From: FromTheRafters on
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:i2sotl01lji(a)news4.newsguy.com...
> From: "jcdill" <jcdill.lists(a)gmail.com>
>
> | David H. Lipman wrote:
>>> From: "jcdill" <jcdill.lists(a)gmail.com>
>
>>> | David Kaye wrote:
>>>>> Sorry about the crosspost to ba.internet, but I know there are
>>>>> malware experts
>>>>> out there.
>
>>>>> Does anybody have EXPERIENCE with Win32/RAMNIT.A ?
>
>>> | No experience, but if I were in your shoes I'd start here:
>
>>> |
>>> <http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_26343474.html>
>
>>> The problem is that may not be the same based upon the !HTML suffix
>>> which infers HTML
>>> code
>>> and possibly exploitation rather than the actual infection.
>
> | My point was to use the experts-exchange site to get help if the
> answers
> | already posted don't solve the problem. They are amazingly helpful
> with
> | providing assistance (for free) to people who follow the recommended
> | steps (such as running hijackthis and posting the logs etc.). I've
> | found the answer to solving several pesky virus/worm problems simply
> by
> | searching the experts-exchange site without having to post my own
> query,
> | but if I couldn't find the answer in the archives then I wouldn't
> | hesitate to post.
>
> Ant defined the !HTML suffix (and !INF) as being modified by the
> Ramnit.

Seems sort of like the old DAM suffix - but instead of being damaged,
these files were modified to act as droppers. Not actual viral
infection, but perhaps infection in the furtherance of the worm. Another
write-up I saw mentioned infection of portable executable files, again
not with copies of itself like a virus, but rather to add dropper
functionality.

So, I'm guessing it could be polymorphic in the way it infects PEs and
the symptoms David Kaye experienced was because some were being missed
by the current definitions supplied for the AV tools he used.

Either that, or there is something *new* about the one he had.


From: David H. Lipman on
From: "FromTheRafters" <erratic(a)nomail.afraid.org>

| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
| news:i2sotl01lji(a)news4.newsguy.com...
>> From: "jcdill" <jcdill.lists(a)gmail.com>

>> | David H. Lipman wrote:
>>>> From: "jcdill" <jcdill.lists(a)gmail.com>

>>>> | David Kaye wrote:
>>>>>> Sorry about the crosspost to ba.internet, but I know there are
>>>>>> malware experts
>>>>>> out there.

>>>>>> Does anybody have EXPERIENCE with Win32/RAMNIT.A ?

>>>> | No experience, but if I were in your shoes I'd start here:

>>>> |
>>>> <http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_26343474.html>

>>>> The problem is that may not be the same based upon the !HTML suffix
>>>> which infers HTML
>>>> code
>>>> and possibly exploitation rather than the actual infection.

>> | My point was to use the experts-exchange site to get help if the
>> answers
>> | already posted don't solve the problem. They are amazingly helpful
>> with
>> | providing assistance (for free) to people who follow the recommended
>> | steps (such as running hijackthis and posting the logs etc.). I've
>> | found the answer to solving several pesky virus/worm problems simply
>> by
>> | searching the experts-exchange site without having to post my own
>> query,
>> | but if I couldn't find the answer in the archives then I wouldn't
>> | hesitate to post.

>> Ant defined the !HTML suffix (and !INF) as being modified by the
>> Ramnit.

| Seems sort of like the old DAM suffix - but instead of being damaged,
| these files were modified to act as droppers. Not actual viral
| infection, but perhaps infection in the furtherance of the worm. Another
| write-up I saw mentioned infection of portable executable files, again
| not with copies of itself like a virus, but rather to add dropper
| functionality.

| So, I'm guessing it could be polymorphic in the way it infects PEs and
| the symptoms David Kaye experienced was because some were being missed
| by the current definitions supplied for the AV tools he used.

| Either that, or there is something *new* about the one he had.


Maybe it is like the Virut in that it modified HTML files in a way that when viewed it
could cause you to download and re-infect the computer.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


From: David H. Lipman on
From: "David Kaye" <sfdavidkaye2(a)yahoo.com>

| "FromTheRafters" <erratic(a)nomail.afraid.org> wrote:

>>It's a shame he couldn't provide you with a sample. His description of
>>symptoms doesn't exactly match up with what this malware is/does. This
>>could be new malware worm dropping ramnit.a as it finds new systems.

| What kind of sample? A sample of the malware? I'm loathe to provide that; I
| don't want to be responsible for infecting any computers. I've already given
| some filenames and directories.

< snip >

Samples that I "did" receive from someone who remain anonymous.

http://www.virustotal.com/analisis/ded3dae323a909c4752fa135de72cdc00ce0da3d1a5fd715fe536105a4da8cac-1280356012

http://www.virustotal.com/analisis/08b348341fb2a24d0ddf765afe7fedb171cdd7ab9dcfa5aab5dc6bfa3b2ce797-1280350307



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


From: FromTheRafters on
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:i2t4d301dnu(a)news6.newsguy.com...
> From: "FromTheRafters" <erratic(a)nomail.afraid.org>
>
> | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> | news:i2sotl01lji(a)news4.newsguy.com...
>>> From: "jcdill" <jcdill.lists(a)gmail.com>
>
>>> | David H. Lipman wrote:
>>>>> From: "jcdill" <jcdill.lists(a)gmail.com>
>
>>>>> | David Kaye wrote:
>>>>>>> Sorry about the crosspost to ba.internet, but I know there are
>>>>>>> malware experts
>>>>>>> out there.
>
>>>>>>> Does anybody have EXPERIENCE with Win32/RAMNIT.A ?
>
>>>>> | No experience, but if I were in your shoes I'd start here:
>
>>>>> |
>>>>> <http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_26343474.html>
>
>>>>> The problem is that may not be the same based upon the !HTML
>>>>> suffix
>>>>> which infers HTML
>>>>> code
>>>>> and possibly exploitation rather than the actual infection.
>
>>> | My point was to use the experts-exchange site to get help if the
>>> answers
>>> | already posted don't solve the problem. They are amazingly
>>> helpful
>>> with
>>> | providing assistance (for free) to people who follow the
>>> recommended
>>> | steps (such as running hijackthis and posting the logs etc.).
>>> I've
>>> | found the answer to solving several pesky virus/worm problems
>>> simply
>>> by
>>> | searching the experts-exchange site without having to post my own
>>> query,
>>> | but if I couldn't find the answer in the archives then I wouldn't
>>> | hesitate to post.
>
>>> Ant defined the !HTML suffix (and !INF) as being modified by the
>>> Ramnit.
>
> | Seems sort of like the old DAM suffix - but instead of being
> damaged,
> | these files were modified to act as droppers. Not actual viral
> | infection, but perhaps infection in the furtherance of the worm.
> Another
> | write-up I saw mentioned infection of portable executable files,
> again
> | not with copies of itself like a virus, but rather to add dropper
> | functionality.
>
> | So, I'm guessing it could be polymorphic in the way it infects PEs
> and
> | the symptoms David Kaye experienced was because some were being
> missed
> | by the current definitions supplied for the AV tools he used.
>
> | Either that, or there is something *new* about the one he had.
>
>
> Maybe it is like the Virut in that it modified HTML files in a way
> that when viewed it
> could cause you to download and re-infect the computer.

That's what I gathered. Interesting it not being viral with respect to
exe infection though (if that is indeed the case).


From: John Slade on
On 7/29/2010 1:40 PM, David H. Lipman wrote:
> From: "John Slade"<hhitman86(a)pacbell.net>
>
> | On 7/29/2010 3:24 AM, David H. Lipman wrote:
>>> From: "John Slade"<hhitman86(a)pacbell.net>
>
>>> | On 7/27/2010 11:17 PM, RJK wrote:
>
>
>>>>> "David H. Lipman"<DLipman~nospam~@Verizon.Net
>>>>> <mailto:DLipman~nospam~@Verizon.Net>> wrote in message
>>>>> news:i2o47d0214h(a)news2.newsguy.com...
>>>>> From: "russg"<russgilb(a)sbcglobal.net<mailto:russgilb(a)sbcglobal.net>>
>
>>>>> | snip stuff about experienced posters only.
>
>>>>> | I come here to learn, and there are some experts here. The OP
>>>>> | considers himself an expert and only wants
>>>>> | talk to experts. I would say his final approach of wiping and re-
>>>>> | installing the OS (which he didn't mention),
>>>>> | but first trying to save .docs, mp3 and other important files, is the
>>>>> | only solution. I learned that RAMNIT.A
>>>>> | is a PE infector, infects other known files, like IE. Here's some
>>>>> | info at sophos.com:
>
>>>>> |
>
>>>>> http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_
>>>>> from=
>>>>> | rss
>
>>>>> | The OP knows the name of the malware, so he must have submitted a
>>>>> | sample somewhere.
>
>>>>> From Dave's first post...
>>>>> "Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm having a
>>>>> devil of a
>>>>> time removing it. The only tool the detects it consistently is MS
>>>>> Security
>>>>> Essentials, and MSSE keeps counting it and "disinfecting" it."
>
>>>>> He didn't submit a sample somewhere, MSE scanned the system,
>>>>> detected it
>>>>> (Win32/RAMNIT.A ), but MSE failed to full remove and clean the
>>>>> system of it. Dave also
>>>>> indicated he tried Avast to no avail.
>
>>>>> --
>>>>> Dave
>>>>> http://www.claymania.com/removal-trojan-adware.html
>>>>> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>>>>> Having cast my eye through this post, I think I would have given
>>>>> PrevX a go :-)
>>>>> ...and having read
>>>>> http://www.symantec.com/security_response/writeup.jsp?docid=2008-011517-3725-99
>
>>>>> ...I think (seeing as Sophos is armed against it), I'd try Sophos
>>>>> CLS from Bart PE cd :-)
>
>>>>> regards, Richard
>
>
>
>>> | It seems the information I found on this worm is that it
>>> | probably hides in the "system volume information" folder that is
>>> | "read only" and "hidden" by default. The worm just keeps getting
>>> | reinstalled and can't be cleaned unless the permissions are
>>> | changed for that folder. The information on this site links to
>>> | instructions for cleaning RAMNIT.A.
>
>>> | http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=81059
>
>>> | This links to information on how to disable "system
>>> | restore" in order to remove the infection. It may be possible to
>>> | use some offline scanner like BitDefender to remove the worm but
>>> | it's better done in Windows.
>
>>> Sorry, you are mis-interpreting the information.
>
>>> Malware doesn't "hide" in the "system volume information" folder. That is where the
>>> System Resore cache resides. What they are talking about is removing restore points
>>> such
>>> that you won't re-infect the PC if you restore the PC from a restore point that had
>>> made
>>> in an infected condition.
>
> | Some malware specifically uses the "system volume
> | information" folder to reinfect the computer. It will infect
> | multiple restore points even those that were there before the
> | particular worm was introduced. I've had some experience with these.
>
>
>>> Howver, I have learned that ist is NOT a good idea to dump the System Restore cache
>>> while
>>> cleaning a PC. It is better to have an infected, working, PC than to have a a PC that
>>> may
>>> be unstable and you can't restore the PC to a stable but infected condition. Once the
>>> PC
>>> is thouroughly cleaned and verified and is stable then you you can dump the System
>>> Restore
>>> cache.
>
> | This is one reason us PROFESSIONALS do a complete drive
> | backup before we remove the infection in this way. That way if
> | something goes wrong, you can always go back to the beginning.
>
> | It's possible to allow writing to the folder in question.
> | I have cleaned a few computers in this way and I usually find
> | that the restore points are not worth saving. I've had
> | absolutely no systems lost due to cleaning out the system
> | restore points. Never lost one and never needed to use the
> | backup on these types of infections. I find it better to have a
> | professional do the malware removal than someone who risks
> | loosing everything because they're afraid to remove the restore
> | caches.
>
> | John
>
>
> You said...
> "Some malware specifically uses the "system volume information" folder to reinfect the
> computer."

Yes that's exactly what I said. One think I've noticed
from 25 years of seeing malware is that the writers of malware
will use anything and everything to infect a system. They will
make it hard as possible to remove them too.

>
> Since you also stated "...us PROFESSIONALS...".

The professional thing to do is make a backup so you can
do what needs to be done to repair the system. I don't usually
hear other professionals say afraid to do something as simple as
removing restore points to repair a system.

> What is that malware spaecifically. You should know it or it should be in your notes.
>

I don't remember the exact name of the worms and trojans
as it was over a year ago when I removed the last one. There are
so many variants of existing malware and new malware out there.
As for my notes, I don't need notes on specific malware I just
do what it takes to remove whatever it is. My notes deal mostly
with behavior of the malware and what it takes to remove it.
However I still have the scanner logs I did then and I'll look
through them. You should also know that scanners can find
malware and not give it a name because it detects signatures and
behavior. The particular malware may not be in the database as yet.

You should know there is malware out there that will
trash the registry and it's backup. It will require some sort of
reinstall to get the system back working. I found it very rare
that I need to do a full reformat and reinstall because of
malware. Some malware will also corrupt system files and when
you remove them with scanners, it will make the installation
unbootable. This is yet another reason professionals will make a
backup if possible before removing infections.

I know there are a lot of fly-by-night computer repair
people who are just there to do a quick fix and get paid, I find
myself cleaning up after a lot of them.

John