Win32/RAMNIT.A Anyone?
in [Anti-Virus]
|
From: Ant on 29 Jul 2010 21:54 "David H. Lipman" wrote: > Maybe I have some now Ant. > > http://www.virustotal.com/analisis/ded3dae323a909c4752fa135de72cdc00ce0da3d1a5fd715fe536105a4da8cac-1280356012 > > http://www.virustotal.com/analisis/08b348341fb2a24d0ddf765afe7fedb171cdd7ab9dcfa5aab5dc6bfa3b2ce797-1280350307 Progress report: Infected executables contain an extra section ".rmnet", which is about 48kb in size and contains the new entry point. When run, they drop a 45kb UPX'd exe in the current directory as [infected filename]Srv.exe, run it and jump to the original entry point of the infected file which can then run as normal. The mutex "KyUffThOkYwRRtgPP" is used to ensure only one copy of the infection is active at a time. The dropped file creates a "Microsoft" subdirectory in the first directory successfully written to, resolved from one of these environment variables or API calls and in this order: "%ProgramFiles%" "%CommonProgramFiles%" "%HOMEDRIVE%%HOMEPATH%" "%APPDATA%" GetSystemDirectoryA GetWindowsDirectoryA It then copies itself to that location as DesktopLayer.exe and runs that. DesktopLayer then injects an embedded DLL somewhere using an odd mechanism which I've yet to investigate. The DLL creates multiple threads to keep modifying the Winlogon registry key, contact the site fget-career.com, create autorun.inf files, do something in the recycle bin and infect executables and html documents. Other files likely to be created in directories of infected files are dmlconf.dat and complete.dat. I've yet to check the infection thread for the method of selecting files for infection. Html files have VBScript appended to them with the infector binary encoded as a hex string. When the document is opened in a browser the binary is written to the user's temp directory and run using WScript.Shell. This is a variant of the one in the Symantec report and may or may not be the same as D. Kaye's.
From: Ant on 29 Jul 2010 22:01 "Ant" wrote: > Html files have VBScript appended to them with > the infector binary encoded as a hex string. When the document is > opened in a browser the binary is written to the user's temp directory > and run using WScript.Shell. The binary is saved as [user]\temp\svchost.exe
From: John Slade on 29 Jul 2010 22:08 On 7/29/2010 3:56 PM, FromTheRafters wrote: > "John Slade"<hhitman86(a)pacbell.net> wrote in message > news:tE74o.32165$OU6.25112(a)newsfe20.iad... > > [...] > >> It seems the information I found on this worm is that it >> probably hides in the "system volume information" folder that is "read >> only" and "hidden" by default. > > Funny, I was led to believe it used the recycle bin. It's entirely possible as they probably have 30 different variants of the same worm. > >> The worm just keeps getting reinstalled and can't >> be cleaned unless the permissions are changed >> for that folder. The information on this site links to instructions >> for cleaning RAMNIT.A. > > How is it, that a folder remains inaccesible to a scanner? It won't allow the removal of the malware because the folder is read only. It will detect but not clean. > >> http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=81059 >> >> This links to information on how to disable "system restore" in >> order to remove the infection. It may be possible to use some offline >> scanner like BitDefender to remove the worm but it's better done in >> Windows. > > It is better to clean the malware off the computer, then purge the > system restore thingy. Sometimes the way to remove the malware is to remove the system restore folders but only after a backup is made of the entire HD. > The malware can't act against you actively, when > it is not running. Use drive imaging software, system restore be-damned. > I agree. But some malware needs to be running so it can be detected and fully removed. John
From: David H. Lipman on 29 Jul 2010 22:10 From: "Ant" <not(a)home.today> | "Ant" wrote: >> Html files have VBScript appended to them with >> the infector binary encoded as a hex string. When the document is >> opened in a browser the binary is written to the user's temp directory >> and run using WScript.Shell. | The binary is saved as [user]\temp\svchost.exe Thank you Ant. You 'da man! :-) -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: TBerk on 29 Jul 2010 22:17
On Jul 29, 12:46 am, sfdavidka...(a)yahoo.com (David Kaye) wrote: <snip> > In over 8 years doing this full time I've only had to reformat maybe 4 times. > I've had to reinstall the OS about 10 times. But this one really caught me by > surprise. Lets see... CP/M 8" floppy disks 5 1/4" floppies, but with Hard Sector holes cut in them Data Storage on Cassette Tape Soldering together your own Serial Cable to make sure you got the Handshaking right. Eight years, heh heh. (Not flam'n,) just ruminating nostalgically. Hell, 'the Cuckoo's Egg' for that matter. TBerk Now I want to pop some corn and go watch a 'Sneakers' & 'Hackers' double bill... |