[Buster_BSA]

You talk about 4 variants (A B C D) but Kaspersky is detecting that one as "ani" which means they detect tons of variants.

[SecConnex]

Yep. They detect tons of them.

[ConanTheLibrarian]

I apologize, there seems to be some confusion on my end whether this infection actually patches .exe's or not. I know it patches .html files with vbscript (have seen this myself). I am getting mixed messages on whether or not the infection patches legitimate .exe's like Virut.BM did.

Can anybody answer that has studied this? Thanks in advance.

[EP_X0FF]

Unless nobody else responded, how about this http://www.kernelmode.info/forum/viewto ... 2013#p2013 ?

[ConanTheLibrarian]

Has anyone seen a detection tool that simply detects the presence of the virus? We have had to make our own detection tools and they are not as robust as they could be. We need to be able to use the tool freely without having to pay for it or get into a contract. Thanks in advance.

[SecConnex]

Kaspersky Virus Removal Tool
Dr. Web CureIt.
Norman Malware Cleaner
ESET Online Scan
Kaspersky Online Scan

[Quads]

Norton will also now (actually be a few weeks) remove the vscript from the .htm(l) files without deleting the .htm(l) files, so the file is back to a pre Ramnit state.

The only thing is if the "desktoplayer.exe" running is one that is not detected, you just end up going around in circles, .exe, .dll and .htm(l) files cleaned, desktoplayer still running so just reinfects the .exe, .dll and .htm(l) files again, around and around we go.

Quads

[Jaxryley]

Sample, Ramnit or Rootkit?

Explorermgr.exe - 9/41 - MD5 : 2a24e9db1ae2a14e0a861a05c15701f8
http://www.virustotal.com/file-scan/rep ... 1290208562

Avira - TR/Ramnit.A.34

Avast - Win32:Rootkit-gen

Explorermgr.rar

Pass:
malware
(49.47 KiB) Downloaded 94 times

[Quads]

It Ramnit

ProgramFiles\Microsoft\WaterMark.exe instead of the Desktoplayer.exe for the Winlogon entry

Norton = W32.Ramnit.B!inf

Quads

[Jaxryley]

Thanks for the info Quads.