Win32/RAMNIT.A Anyone?
in [Anti-Virus]
|
From: David Kaye on 27 Jul 2010 21:30 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote: >I have never heard of the "Ramnit" trojan. But, there are 100's of thousands > out there >and it isn't a major family/player. I wouldn't call it a trojan at this point because I don't know that it was masquerading as anything else. It never showed a user interface. The symptoms were hosed Internet connections, redirects, and excessive HD access. It is either a virus or a worm. I can't figure out when it was originally downloaded because some executables took on the date/time the OS was originally installed, but I suspect it was concurrent with a Limewire or a torrent connection of some kind, judging by the log files.
From: David Kaye on 27 Jul 2010 21:33 "Ant" <not(a)home.today> wrote: >Symantec wrote something about it in Jan this year. Apparently, it's a >worm that spreads through removable drives and infects executables (so >it's also a virus). Copies itself to the recycle bin and creates >autorun.inf files on all drives. That's what they said in January, but this didn't act that way. I tested with a stick and it didn't even see it. It also appears to be looking for exe and dll files and attaches itself to them. MSSE apparently was able to remove the attachments, but Avast couldn't. Those were the only two anti-malware programs that even saw this. >Yes, if a sample was available I could probably discover exactly what >it did (given a little time). Anyway, since so many infected files >were reported in an earlier post it's just as well he's doing a wipe >and reinstall. Unfortunately that's where I'm going to have to go, or at least reinstall the OS.
From: David H. Lipman on 27 Jul 2010 21:39 From: "David Kaye" <sfdavidkaye2(a)yahoo.com> | "FromTheRafters" <erratic(a)nomail.afraid.org> wrote: >>It's a shame he couldn't provide you with a sample. His description of >>symptoms doesn't exactly match up with what this malware is/does. This >>could be new malware worm dropping ramnit.a as it finds new systems. | What kind of sample? A sample of the malware? I'm loathe to provide that; I | don't want to be responsible for infecting any computers. I've already given | some filenames and directories. | But regardless of what names I provide, there is still something being | launched that I'm unaware of that is rebuilding the files I see. As | previously stated, I've removed the HD, scanned it for rootkits and malware | and reinstalled it and the stuff comes back. | Well, folks, thanks anyway. I'm just going to reinstall Windows, something I | seldom have to do. It's got me beat and I can't spend any more time on this | issue. I'm backed up in work again. Providing a sample of malware to http://www.uploadmalware.com/ will *NOT* cause more computers to be infected. On the contrary, people who have access to the files are experienced at handling malware. The culmination of all submissions get distributed to the listed anti malware companies. Therefore, sample submission to UploadMalware leads to greater recognition of submitted samples. Vendor list: http://www.uploadmalware.com/vendors.php -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: russg on 27 Jul 2010 22:12 snip stuff about experienced posters only. I come here to learn, and there are some experts here. The OP considers himself an expert and only wants talk to experts. I would say his final approach of wiping and re- installing the OS (which he didn't mention), but first trying to save .docs, mp3 and other important files, is the only solution. I learned that RAMNIT.A is a PE infector, infects other known files, like IE. Here's some info at sophos.com: http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_from=rss The OP knows the name of the malware, so he must have submitted a sample somewhere.
From: David H. Lipman on 27 Jul 2010 22:21
From: "russg" <russgilb(a)sbcglobal.net> | snip stuff about experienced posters only. | I come here to learn, and there are some experts here. The OP | considers himself an expert and only wants | talk to experts. I would say his final approach of wiping and re- | installing the OS (which he didn't mention), | but first trying to save .docs, mp3 and other important files, is the | only solution. I learned that RAMNIT.A | is a PE infector, infects other known files, like IE. Here's some | info at sophos.com: | http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_from= | rss | The OP knows the name of the malware, so he must have submitted a | sample somewhere. From Dave's first post... "Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm having a devil of a time removing it. The only tool the detects it consistently is MS Security Essentials, and MSSE keeps counting it and "disinfecting" it." He didn't submit a sample somewhere, MSE scanned the system, detected it (Win32/RAMNIT.A ), but MSE failed to full remove and clean the system of it. Dave also indicated he tried Avast to no avail. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |