is dropped by other variants of the Ramnit family to the %TEMP% folder as a system file (.SYS) with a random name, for example "qxcouvmc.sys". In the wild, we have observed Trojan:Win32/Ramnit.A dropping this trojan.
Disables or prevents your antivirus and security products from working properly
hooks the following APIs to prevent security products from detecting other components of the Ramnit family:
also receives a list of security products from other components of the Ramnit family, for example, Trojan:Win32/Ramnit.A. Trojan:WinNT/Ramnit.gen!A then kills those products on the list.
Related encyclopedia entries
Analysis by Tim Liu
The following system changes may indicate the presence of this malware:
- Your antivirus or security product does not work correctly or stops working completely