A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #10815  by rkhunter
 Thu Jan 05, 2012 8:01 am
Ramnit virus dropper - Trojan:Win32/Ramnit.A.
Performs a lot of system modifications, http://www.threatexpert.com/report.aspx ... c63c285a80

14 /43 >> 32.6%

Edit: extracted infector added - Virus:Win32/Ramnit.AF.

MD5: fe2d59a14966a9b62f0429650f3b4b41

38/43 >> 88.4%
You do not have the required permissions to view the files attached to this post.
 #10823  by cjbi
 Thu Jan 05, 2012 11:35 am
Virus:Win32/Ramnit.AF is interesting!
Aggressive infection (Inject thread(s) to all processes) & Virus + Rootkit + Etc!

Interesting string from rootkit.
Code: Select all
c:\project\demetra\loader~1\drivers\ssdt\driver~1\objfre_win7_x86\i386\SdtRestore.pdb
Injected thread(s) memory dump, rootkit memory dump attached.
You do not have the required permissions to view the files attached to this post.
 #10885  by rkhunter
 Sat Jan 07, 2012 3:51 am
2 samples of Trojan:Win32/Ramnit with same driver in attach.

15/43 >> 34.9%

14/42 >> 33.3%

Driver:
\Device\631D2408D44C4f47AC647AB96987D4D5
\DosDevices\631D2408D44C4f47AC647AB96987D4D5
systemroot\temp\%x
win32k.sys
\systemroot\system32\win32k.sys
csrss.exe
c:\project\demetra\loader~1\drivers\ssdt\driver~1\objfre_win7_x86\i386\SdtRestore.pdb
You do not have the required permissions to view the files attached to this post.
 #10931  by onthar
 Mon Jan 09, 2012 11:10 pm
rkhunter wrote:2 samples of Trojan:Win32/Ramnit with same driver in attach.

15/43 >> 34.9%

14/42 >> 33.3%

Driver:
\Device\631D2408D44C4f47AC647AB96987D4D5
\DosDevices\631D2408D44C4f47AC647AB96987D4D5
systemroot\temp\%x
win32k.sys
\systemroot\system32\win32k.sys
csrss.exe
c:\project\demetra\loader~1\drivers\ssdt\driver~1\objfre_win7_x86\i386\SdtRestore.pdb
Strange, If I am not mistaken, this version doesn't infect files.

By the way, Xuetr can't manage with this infection. What ARK is best against ramnit?
 #10934  by kmd
 Tue Jan 10, 2012 2:31 am
onthar wrote:
rkhunter wrote:2 samples of Trojan:Win32/Ramnit with same driver in attach.


By the way, Xuetr can't manage with this infection. What ARK is best against ramnit?

that paylod is damaged. any average ark can wipe original ramnit if u knew where to look.
xuert is Chinese copy-past from several other arks with embedded bsod-generator(TM)
 #10942  by rkhunter
 Tue Jan 10, 2012 10:31 am
Seems this is non-trivial option, how curing itself from file-virus and restart.
 #11134  by rkhunter
 Thu Jan 19, 2012 7:21 am
Ramnit with file-infector.

MD5: 87633eb6eeb7edd72ded8e33ef0c2920

8/42

Driver has not changed from December.
You do not have the required permissions to view the files attached to this post.
 #12260  by rkhunter
 Thu Mar 22, 2012 7:20 am
Trojan:Win32/Ramnit

MD5: B6867BAAA9F0627E0FDA773BCDF90BA3
6/43
You do not have the required permissions to view the files attached to this post.
  • 1
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10