Follow:

You have been re-routed to the Trojan:Win32/Ramnit.A write up because Trojan%253aWin32%252fRamnit.A has been renamed to Trojan:Win32/Ramnit.A
 

Trojan:Win32/Ramnit.A


Microsoft security software detects and removes this threat.
 
This threat can give a malicious hacker access to your PC.
 
It can be installed when you visit a hacked or malicious web page.
 
See the Win32/Ramnit family description for more information on this type of threat.
 


What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation
Trojan:Win32/Ramnit.A can be downloaded as one of the following files:
 
  • crypt_abuzamnet.info_original.exe
  • crypt_new_ca_g1_enc.exe
  • crypt_new_ca_g2.exe
  • new_uk3.exe
  • install.exe_crypted.exe
 
It copies itself as one of the following:

It modifies the following registry entry so that it runs each time you start your PC:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Userinit"
With data: "%windir%\system32\userinit.exe,<trojan file name>"

Payload
Gives a malicious hacker access to your PC
 
The trojan opens TCP ports and connects to a remote server, such as "abuzamnet.info", using another TCP port to receive commands from a malicious hacker. Instructions can include downloading and running other files, including malware.
 
Analysis by Patrick Nolan

Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:

    crypt_abuzamnet.info_original.exe
    crypt_new_ca_g1_enc.exe
    crypt_new_ca_g2.exe
    new_uk3.exe
    install.exe_crypted.exe
    <system folder>\booyaka.exe
  • The presence of the following registry modifications:

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Sets value: "Userinit"
    With data: "%windir%\system32\userinit.exe,<trojan file name>"

Prevention


Alert level: Severe
First detected by definition: 1.81.100.0
Latest detected by definition: 1.191.985.0 and higher
First detected on: Apr 21, 2010
This entry was first published on: Nov 09, 2010
This entry was updated on: Sep 22, 2014

This threat is also detected as:
  • Wi-Trojan/Downloader.32768.UI (AhnLab)
  • W32/Downldr2.IWUS (Command)
  • TR/Dldr.FakeAV.mkn (Avira)
  • Win32/IRCBot.AIM (CA)
  • Win32/Agent.ODM (ESET)
  • Troja-Downloader.Win32.FraudLoad.gpn (Kaspersky)
  • Generic FakeAlert!gv (McAfee)
  • W32/Smalltroj.YDYV (Norman)
  • Trj/Zlob.KH (Panda)
  • Mal/FakeAV-CH (Sophos)
  • Backdoor.IRC.Bot (Symantec)
  • TROJ_FRAUDLO.LH (Trend Micro)
  • Trojan.DL.FraudLoad.AASG (VirusBuster)
  • BackDoor.Firepass.23 (Dr.Web)
  • Virtool:Win32/Obfuscator.FW (other)