From: Ant on 29 Jul 2010 21:54
"David H. Lipman" wrote:
> Maybe I have some now Ant.
Infected executables contain an extra section ".rmnet", which is about
48kb in size and contains the new entry point. When run, they drop a
45kb UPX'd exe in the current directory as [infected filename]Srv.exe,
run it and jump to the original entry point of the infected file which
can then run as normal.
The mutex "KyUffThOkYwRRtgPP" is used to ensure only one copy of the
infection is active at a time.
The dropped file creates a "Microsoft" subdirectory in the first
directory successfully written to, resolved from one of these
environment variables or API calls and in this order:
It then copies itself to that location as DesktopLayer.exe and runs
that. DesktopLayer then injects an embedded DLL somewhere using an odd
mechanism which I've yet to investigate.
The DLL creates multiple threads to keep modifying the Winlogon
registry key, contact the site fget-career.com, create autorun.inf
files, do something in the recycle bin and infect executables and html
documents. Other files likely to be created in directories of infected
files are dmlconf.dat and complete.dat.
I've yet to check the infection thread for the method of selecting
files for infection. Html files have VBScript appended to them with
the infector binary encoded as a hex string. When the document is
opened in a browser the binary is written to the user's temp directory
and run using WScript.Shell.
This is a variant of the one in the Symantec report and may or may not
be the same as D. Kaye's.
From: Ant on 29 Jul 2010 22:01
> Html files have VBScript appended to them with
> the infector binary encoded as a hex string. When the document is
> opened in a browser the binary is written to the user's temp directory
> and run using WScript.Shell.
The binary is saved as [user]\temp\svchost.exe
From: John Slade on 29 Jul 2010 22:08
On 7/29/2010 3:56 PM, FromTheRafters wrote:
> "John Slade"<hhitman86(a)pacbell.net> wrote in message
>> It seems the information I found on this worm is that it
>> probably hides in the "system volume information" folder that is "read
>> only" and "hidden" by default.
> Funny, I was led to believe it used the recycle bin.
It's entirely possible as they probably have 30 different
variants of the same worm.
>> The worm just keeps getting reinstalled and can't
>> be cleaned unless the permissions are changed
>> for that folder. The information on this site links to instructions
>> for cleaning RAMNIT.A.
> How is it, that a folder remains inaccesible to a scanner?
It won't allow the removal of the malware because the
folder is read only. It will detect but not clean.
>> This links to information on how to disable "system restore" in
>> order to remove the infection. It may be possible to use some offline
>> scanner like BitDefender to remove the worm but it's better done in
> It is better to clean the malware off the computer, then purge the
> system restore thingy.
Sometimes the way to remove the malware is to remove the
system restore folders but only after a backup is made of the
> The malware can't act against you actively, when
> it is not running. Use drive imaging software, system restore be-damned.
I agree. But some malware needs to be running so it can
be detected and fully removed.
From: David H. Lipman on 29 Jul 2010 22:10
From: "Ant" <not(a)home.today>
| "Ant" wrote:
>> Html files have VBScript appended to them with
>> the infector binary encoded as a hex string. When the document is
>> opened in a browser the binary is written to the user's temp directory
>> and run using WScript.Shell.
| The binary is saved as [user]\temp\svchost.exe
Thank you Ant.
You 'da man! :-)
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: TBerk on 29 Jul 2010 22:17
On Jul 29, 12:46 am, sfdavidka...(a)yahoo.com (David Kaye) wrote:
> In over 8 years doing this full time I've only had to reformat maybe 4 times.
> I've had to reinstall the OS about 10 times. But this one really caught me by
8" floppy disks
5 1/4" floppies, but with Hard Sector holes cut in them
Data Storage on Cassette Tape
Soldering together your own Serial Cable to make sure you got the
Eight years, heh heh. (Not flam'n,) just ruminating nostalgically.
Hell, 'the Cuckoo's Egg' for that matter.
Now I want to pop some corn and go watch a 'Sneakers' & 'Hackers'