Follow:

 

Win32/Ramnit


Microsoft security software detects and removes this threat.

This malware family steals your sensitive information, such as your bank user names and passwords. It can also give a malicious hacker access and control of your PC, and stop your security software from running.

These threats can be installed on your PC via an infected removable drive, such as a USB flash drive.



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

Get more help

You can also ask for help from other PC users at the Microsoft virus and malware community.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

The threat copies itself using a hard-coded name or, in some cases, with a random file name to a random folder, for example:

Some variants copy themselves to the %TEMP% folder with a random name, for example lvjekdwi.exe, hvhvufsa.exe.

This file might be detected as Worm:Win32/Ramnit.A or by another similar detection name.

It creates the following registry entry to ensure that it runs each time you start your PC:

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Userinit"
With data: "<system folder>\userinit.exe, <malware folder path and file name>", for example "%ProgramFiles%\Microsoft\watermark.exe"

Win32/Ramnit launches a new instance of the system process svchost.exe and injects code into it. If the malware is unable to inject its code into svchost, it searches for your default web browser and injects its code into the browser's process.

The malware hooks the following APIs for this purpose:

  • ZwWriteVirtualMemory
  • ZwCreateUserProcess

The infection and backdoor functionality occurs in the web browser process context; it might do this in order to avoid detection and make cleaning an infection more difficult.

Spreads via…

File infection

Older variants of Win32/Ramnit spread by infecting certain files with virus code. Newer variants, however, have been observed without this file-infection functionality. The reason for the removal of this functionality in newer variants might be to hinder detection and removal of the variant.

A description of this file infection functionality is as follows:

Win32/Ramnit infects Windows executable files with a file extension of .exe, .dll, and .scr. The infected executables might be detected as Virus:Win32/Ramnit.A or by another similar detection name.

Win32/Ramnit infects HTML document files with .html or .htm extensions. The infected HTML files might be detected as Virus:VBS/Ramnit.A or by another similar detection name. The infected HTML files have an appended VBScript. When the infected HTML file is loaded by a web browser, the VBScript might drop a copy of Win32/Ramnit as %TEMP%\svchost.exe and then run the copy.

Win32/Ramnit also infects Microsoft Office OLE document files with .doc, .docx, or .xls file extensions. The infected document might be detected as Virus:O97M/Ramnit. The infected document contains a macro which will attempt to run when the document is opened. The macro might drop a copy of Win32/Ramnit as %TEMP%\wdexplore.exe and then run the copy.

Removable and network drives

Win32/Ramnit makes copies of the installer to removable drives with a random file name. The file might also be placed beneath a randomly named directory beneath the folder \RECYCLER\ in the root of the drive, as in the following example:

<drive:> \RECYCLER\s-5-1-04-5443402830-2472267086-003818317-4634\rdkidfba.exe

It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files tell the operating system to launch the malware file automatically when the network drive is accessed from another PC that supports the Autorun feature.

This is particularly common malware behavior, generally used in order to spread malware from PC to PC.

It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs.

Payload

Connects to a remote server

Win32/Ramnit  connects and sends information to a remote server, which it connects to via TCP port 443.

The malware generates the name of the command and control server using domain generation algorithm (DGA), for example:

  • caytmlnlrou.com
  • cxviaodxefolgkokdqy.com
  • empsqyowjuvvsvrwj.com
  • gokbwlivwvgqlretxd.com
  • htmthgurhtchwlhwklf.com
  • jiwucjyxjibyd.com
  • khddwukkbwhfdiufhaj.com
  • ouljuvkvn.com
  • qbsqnpyyooh.com
  • snoknwlgcwgaafbtqkt.com
  • swbadolov.com
  • tfgyaoingy.com
  • tiqfgpaxvmhsxtk.com
  • ubkfgwqslhqyy.com
  • ukiixagdbdkd.com
  • vwaeloyyutodtr.com

The malware downloads other components from the server. These components change often, and could perform the following actions:

  • Steal FTP credentials (user names and passwords)
  • Enable backdoor access and control via "virtual network computing" (VNC)
  • Steal bank credentials (user names and passwords)
  • End or close certain antimalware programs

Win32/Ramnit can receive additional instructions from the server, including:

  • Download other malware
  • Shut down your PC
  • Take a screenshot
  • Update the malware to the latest version
  • Send collected information about cookies on your PC to the server
  • Delete cookies stored on your PC

Win32/Ramnit sends information about your PC to the server, including the following:

  • The name of your PC
  • The number of processes your PC has
  • The type of processor
  • The serial number of your PC's hard disk volume
  • The version and build of your operating system

The malware also receives a list of antimalware products from the remote server. It then closes or stops any processes related to those antimalware products.

Steals sensitive data

Win32/Ramnit might steal stored FTP passwords and user names from a number of common FTP applications, including:

  • 32bit FTP
  • BulletproofFTP
  • ClassicFTP
  • Coffee cup ftp
  • Core Ftp
  • Cute FTP
  • Directory opus
  • Far Manager
  • FFFtp
  • FileZilla
  • FlashXp
  • Fling
  • Frigate 3
  • FtpCommander
  • FtpControl
  • FtpExplorer
  • LeapFtp
  • NetDrive
  • SmartFtp
  • SoftFx FTP
  • TurboFtp
  • WebSitePublisher
  • Windows/Total commander
  • WinScp
  • WS FTP

Win32/Ramnit might also steal bank credentials by hooking the following APIs:

  • HttpOpenRequestA
  • HttpOpenRequestW
  • HttpSendRequestA
  • HttpSendRequestExA
  • HttpSendRequestExW
  • HttpSendRequestW
  • InternetCloseHandle
  • InternetOpenUrlA
  • InternetOpenUrlW
  • InternetQueryDataAvailable
  • InternetReadFile
  • InternetReadFileExA
  • InternetReadFileExW
  • InternetWriteFile

The malware collects stored browser cookies from the following web browsers:

  • Chrome
  • Firefox
  • Internet Explorer
  • Opera
  • Safari

The captured credentials are then sent to a remote server for collection by a hacker.

Disables security and antimalware software and services

The malware disables certain Windows functions that are designed to keep your PC safer and more secure. It disables these functions by making a number of registry modifications.

It disables the LUA (Least Privileged User Account), also known as the "administrator in Admin Approval Mode" user type, by making the following registry modifications:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"

It disables Windows Security Center:

In subkey: HKLM\SOFTWARE\Microsoft\Security Center
Sets value: "AntiVirusOverride"
With data: "1"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Sets value: "Start"
With data: "4"

It disables Windows Defender:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\WinDefend
Sets value: "Start"
With data: "4"

It disables the Windows Update AutoUpdate Service

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Sets value: "Start"
With data: "4"

It disables the Windows Firewall:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Sets value: "EnableFirewall"
With data: "0"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc
Sets value: "Start"
With data: "4"

Win32/Ramnit also disables the RapportMgmtService, if it exists on your PC. This service belongs to Rapport, which is a security program that you or your network administrator might have installed on your PC.

The malware might also disable or close certain antimalware products, including AVG Antivirus 2013.

Further reading

Analysis by Scott Molenkamp, Karthik Selvaraj, and Tim Liu


Symptoms

The following could indicate that you have this threat on your PC:

  • Your antimalware or security product might not work correctly, or might not work at all
  • You have these files:
     
    "%TEMP%\wdexplore.exe"
    "%TEMP%\svchost.exe
     
  • You see these entries or keys in your registry:
     
    In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    Sets value: "Userinit"
    With data: "<system folder>\userinit.exe, <malware folder path and file name>", for example "%ProgramFiles%\Microsoft\watermark.exe

    In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    Sets value: "EnableLUA"
    With data: "0"

    In subkey: HKLM\SOFTWARE\Microsoft\Security Center
    Sets value: "AntiVirusOverride"
    With data: "1"

    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
    Sets value: "Start"
    With data: "4"

    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\WinDefend
    Sets value: "Start"
    With data: "4"

    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
    Sets value: "Start"
    With data: "4"

    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    Sets value: "EnableFirewall"
    With data: "0"

    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc
    Sets value: "Start"
    With data: "4"


Prevention


Alert level: Severe
This entry was first published on: May 10, 2011
This entry was updated on: Aug 22, 2014

This threat is also detected as:
No known aliases