Win32/Ramnit

Forum for analysis and discussion about malware.
User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Win32.Ramnit

Post by rkhunter » Thu Jan 05, 2012 8:01 am

Ramnit virus dropper - Trojan:Win32/Ramnit.A.
Performs a lot of system modifications, http://www.threatexpert.com/report.aspx ... c63c285a80

14 /43 >> 32.6%

Edit: extracted infector added - Virus:Win32/Ramnit.AF.

MD5: fe2d59a14966a9b62f0429650f3b4b41

38/43 >> 88.4%
You do not have the required permissions to view the files attached to this post.

cjbi
Posts: 92
Joined: Sun Mar 14, 2010 7:16 am

Re: Win32.Ramnit

Post by cjbi » Thu Jan 05, 2012 11:35 am

Virus:Win32/Ramnit.AF is interesting!
Aggressive infection (Inject thread(s) to all processes) & Virus + Rootkit + Etc!

Interesting string from rootkit.

Code: Select all

c:\project\demetra\loader~1\drivers\ssdt\driver~1\objfre_win7_x86\i386\SdtRestore.pdb
Injected thread(s) memory dump, rootkit memory dump attached.
You do not have the required permissions to view the files attached to this post.

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Win32.Ramnit

Post by rkhunter » Thu Jan 05, 2012 1:50 pm

One more Trojan:Win32/Ramnit.A and it's driver.

Dropper:
5/43 >> 11.6%

Installs driver as "Microsoft Windows Service" in registry.
Autostart from Winlogon\Userinit.

Detailed analysis: http://camas.comodo.com/cgi-bin/submit? ... edccedc6fc
You do not have the required permissions to view the files attached to this post.

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Win32.Ramnit

Post by rkhunter » Sat Jan 07, 2012 3:51 am

2 samples of Trojan:Win32/Ramnit with same driver in attach.

15/43 >> 34.9%

14/42 >> 33.3%

Driver:
\Device\631D2408D44C4f47AC647AB96987D4D5
\DosDevices\631D2408D44C4f47AC647AB96987D4D5
systemroot\temp\%x
win32k.sys
\systemroot\system32\win32k.sys
csrss.exe
c:\project\demetra\loader~1\drivers\ssdt\driver~1\objfre_win7_x86\i386\SdtRestore.pdb
You do not have the required permissions to view the files attached to this post.

User avatar
onthar
Posts: 17
Joined: Wed Jun 01, 2011 9:03 pm
Location: Russia
Contact:

Re: Win32.Ramnit

Post by onthar » Mon Jan 09, 2012 11:10 pm

rkhunter wrote:2 samples of Trojan:Win32/Ramnit with same driver in attach.

15/43 >> 34.9%

14/42 >> 33.3%

Driver:
\Device\631D2408D44C4f47AC647AB96987D4D5
\DosDevices\631D2408D44C4f47AC647AB96987D4D5
systemroot\temp\%x
win32k.sys
\systemroot\system32\win32k.sys
csrss.exe
c:\project\demetra\loader~1\drivers\ssdt\driver~1\objfre_win7_x86\i386\SdtRestore.pdb
Strange, If I am not mistaken, this version doesn't infect files.

By the way, Xuetr can't manage with this infection. What ARK is best against ramnit?

User avatar
kmd
Posts: 269
Joined: Mon Mar 15, 2010 4:09 am
Location: Russian Federation

Re: Win32.Ramnit

Post by kmd » Tue Jan 10, 2012 2:31 am

onthar wrote:
rkhunter wrote:2 samples of Trojan:Win32/Ramnit with same driver in attach.


By the way, Xuetr can't manage with this infection. What ARK is best against ramnit?

that paylod is damaged. any average ark can wipe original ramnit if u knew where to look.
xuert is Chinese copy-past from several other arks with embedded bsod-generator(TM)

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Win32.Ramnit

Post by rkhunter » Tue Jan 10, 2012 10:31 am

Seems this is non-trivial option, how curing itself from file-virus and restart.

User avatar
Maxstar
Posts: 88
Joined: Wed Jan 26, 2011 10:20 am

Re: Win32.Ramnit

Post by Maxstar » Wed Jan 18, 2012 11:26 am

MD5: c30e096aaf1210052dee20062a962532
https://www.virustotal.com/file/93d87ad ... 326885889/
You do not have the required permissions to view the files attached to this post.

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Win32.Ramnit

Post by rkhunter » Thu Jan 19, 2012 7:21 am

Ramnit with file-infector.

MD5: 87633eb6eeb7edd72ded8e33ef0c2920

8/42

Driver has not changed from December.
You do not have the required permissions to view the files attached to this post.

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Win32.Ramnit

Post by rkhunter » Thu Mar 22, 2012 7:20 am

Trojan:Win32/Ramnit

MD5: B6867BAAA9F0627E0FDA773BCDF90BA3
6/43
You do not have the required permissions to view the files attached to this post.

Post Reply