A forum for reverse engineering, OS internals and malware analysis 

Win32/Ramnit

Forum for analysis and discussion about malware.

Re: Win32.Ramnit

 #10815  by rkhunter
 Thu Jan 05, 2012 8:01 am
Ramnit virus dropper - Trojan:Win32/Ramnit.A.
Performs a lot of system modifications, http://www.threatexpert.com/report.aspx ... c63c285a80

14 /43 >> 32.6%

Edit: extracted infector added - Virus:Win32/Ramnit.AF.

MD5: fe2d59a14966a9b62f0429650f3b4b41

38/43 >> 88.4%
Attachments
pass:malware
(262.66 KiB) Downloaded 90 times
(129.57 KiB) Downloaded 84 times

Re: Win32.Ramnit

 #10823  by cjbi
 Thu Jan 05, 2012 11:35 am
Virus:Win32/Ramnit.AF is interesting!
Aggressive infection (Inject thread(s) to all processes) & Virus + Rootkit + Etc!

Interesting string from rootkit.
Code: Select all
c:\project\demetra\loader~1\drivers\ssdt\driver~1\objfre_win7_x86\i386\SdtRestore.pdb
Injected thread(s) memory dump, rootkit memory dump attached.
Attachments
pw: malware
(99.75 KiB) Downloaded 90 times

Re: Win32.Ramnit

 #10832  by rkhunter
 Thu Jan 05, 2012 1:50 pm
One more Trojan:Win32/Ramnit.A and it's driver.

Dropper:
5/43 >> 11.6%

Installs driver as "Microsoft Windows Service" in registry.
Autostart from Winlogon\Userinit.

Detailed analysis: http://camas.comodo.com/cgi-bin/submit? ... edccedc6fc
Attachments
ramnit driver
(7.29 KiB) Downloaded 87 times
ramnit dropper
(129.62 KiB) Downloaded 95 times

Re: Win32.Ramnit

 #10885  by rkhunter
 Sat Jan 07, 2012 3:51 am
2 samples of Trojan:Win32/Ramnit with same driver in attach.

15/43 >> 34.9%

14/42 >> 33.3%

Driver:
\Device\631D2408D44C4f47AC647AB96987D4D5
\DosDevices\631D2408D44C4f47AC647AB96987D4D5
systemroot\temp\%x
win32k.sys
\systemroot\system32\win32k.sys
csrss.exe
c:\project\demetra\loader~1\drivers\ssdt\driver~1\objfre_win7_x86\i386\SdtRestore.pdb
Attachments
driver
(7.89 KiB) Downloaded 82 times
pass:infected
(149.43 KiB) Downloaded 91 times

Re: Win32.Ramnit

 #10931  by onthar
 Mon Jan 09, 2012 11:10 pm
rkhunter wrote:2 samples of Trojan:Win32/Ramnit with same driver in attach.

15/43 >> 34.9%

14/42 >> 33.3%

Driver:
\Device\631D2408D44C4f47AC647AB96987D4D5
\DosDevices\631D2408D44C4f47AC647AB96987D4D5
systemroot\temp\%x
win32k.sys
\systemroot\system32\win32k.sys
csrss.exe
c:\project\demetra\loader~1\drivers\ssdt\driver~1\objfre_win7_x86\i386\SdtRestore.pdb
Strange, If I am not mistaken, this version doesn't infect files.

By the way, Xuetr can't manage with this infection. What ARK is best against ramnit?

Re: Win32.Ramnit

 #10934  by kmd
 Tue Jan 10, 2012 2:31 am
onthar wrote:
rkhunter wrote:2 samples of Trojan:Win32/Ramnit with same driver in attach.


By the way, Xuetr can't manage with this infection. What ARK is best against ramnit?

that paylod is damaged. any average ark can wipe original ramnit if u knew where to look.
xuert is Chinese copy-past from several other arks with embedded bsod-generator(TM)

Re: Win32.Ramnit

 #10942  by rkhunter
 Tue Jan 10, 2012 10:31 am
Seems this is non-trivial option, how curing itself from file-virus and restart.
  • 1
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
 Return to “Malware”