[Sneakyone]

Rofl, I personally don't like VBox very much I like the Microsoft Virtual PC, it survives a lot more and it is quick and easy to make another if your VM dies.

[ssj100]

Rofl, I personally don't like VBox very much I like the Microsoft Virtual PC, it survives a lot more and it is quick and easy to make another if your VM dies.

I find VirtualBox pretty fast moving between snapshots. When the VM is hosed, it only takes about 10 seconds to snap back to baseline etc. When's the last time you tried VirtualBox?

[Sneakyone]

I have it now, but I don't like it because I can't copy and paste links to and from the VM, and I can't transfer files easily, and some other things. It is just a personal preference. ;)

[Jaxryley]

With the sample a.exe provided I ran it via XP VM and managed to grab the sample below for perusal which seems to do the same as a.exe but not many are hitting it over at VT.
lpqs.exe - 6/ 41 (14.6%) - MD5 : 3a89402d839be7526f4049fe181da92f
http://www.virustotal.com/file-scan/rep ... 1281751772

lpqs.rar

Pass:
infected
(254.79 KiB) Downloaded 115 times

[Quads]

Could be that Dr Web Cureit (updated) can Cure or Delete the files involved depending on the file involved, remove the infection from the .dll's and .exe's

For example

msvcr71.dll;c:\program files\java\jre6\bin;Win32.Rmnet;Cured.;
coreclr.dll;c:\program files\microsoft silverlight\4.0.50524.0;Win32.Rmnet;Cured.;
npctrl.dll;c:\program files\microsoft silverlight\4.0.50524.0;Win32.Rmnet;Cured.;
desktoplayer.exe;c:\program files\microsoft;Trojan.Packed.20343;Deleted.;
pcpitstopscheduleservice.exe;c:\program files\pcpitstop;Win32.Rmnet;Cured.;
wmpnetwk.exe;c:\program files\windows media player;Win32.Rmnet;Cured.;

ADDED, I have attached a log that may help.

Quads

[SecConnex]

Looks like Ramnit indeed grabs random files to infect.

This:

pcpitstopscheduleservice.exe;c:\program files\pcpitstop;Win32.Rmnet;Cured.;

Surprises me. I would not see that targeted ever. That is crazy.

How did it cure it? Did it delete those files, or just remove the malcode from them?

Edit:

Many of those hashes provided for the system files/drivers did not exist in VirusTotal. I intended on doing a hash search. :roll:

Is the system still infected? I might be interested in comparing the code of one of those files. Particularly user32.dll.

[a_d_13]

Hello,

Could anyone who's tested this please post a file both before and after infection? I've been investigating the method it uses to infect files, and I'd like a couple of other samples to compare against (non-Windows files if possible, please).

Thanks,
--AD

[wealllbe20]

Ramnit what a PITA to get rid. Almost like an old school virus.

[SecConnex]

Nice. I wonder how much Trend Micro got, before you had to whip out the power tools. :D

[wealllbe20]

it cleaned every file it found!! It didn't delete one file
it was on around 30** ish range and I found out it their were a lot of infected files in the system restore folder so i paused the scan and disabled system restore.

after running the scan through every file the machine seemed clean!

It found the all the infected exe files but not any of the files that combofix picked up. I ran combofix after trend. After combofix I ran a few tools rku, runscanner,gmer, hitmanpro, mbam, and found nothing. I then ran trend again and it found 0 infections. I called the user today he says everything is running fine so I am keeping my fingers crossed.