When the virus runs, it drops a file as "<file name>Srv.exe" (for example, "mytestSvr.exe"), where <file name> is the file name of the infected executable. The dropped file is then run.
This file might be detected as Worm:Win32/Ramnit.A.
infects .HTML files with .HTML or .HTM extensions. The infected .HTML or .HTM files might be detected as Virus:VBS/Ramnit.A.
Allows backdoor access and control / Connects to remote server
creates a backdoor by connecting to a remote server. Using this backdoor, a remote hacker can perform any number of actions, including downloading and running files on the infected PC.
See the description for Worm:Win32/Ramnit.A for more details on how the malware downloads and runs files.
The virus creates a default web browser process (which you won't be able to see) and injects code into it.
It might do this as a way to avoid detection and make it more difficult to remove from an infected PC.
Analysis by Chun Feng
The following could indicate that you have this threat on your PC:
- You have this file: