Follow:

You have been re-routed to the Trojan:Win32/Ramnit.A write up because Trojan%3aWin32%2fRamnit.A has been renamed to Trojan:Win32/Ramnit.A
 

Trojan:Win32/Ramnit.A


Trojan:Win32/Ramnit.A is a trojan that allows limited remote access and control to an affected computer.


What to do now

To detect and remove this threat and other malicious software that may have been installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following: For more information about using antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Trojan:Win32/Ramnit.A is a trojan that allows limited remote access and control to an affected computer.
Installation
Trojan:Win32/Ramnit.A may have been downloaded or distributed in April and May 2010 from various websites, such as IP address 92.60.177.253. It may have been downloaded as one of the following files:
 
  • crypt_abuzamnet.info_original.exe
  • crypt_new_ca_g1_enc.exe
  • crypt_new_ca_g2.exe
  • new_uk3.exe
  • install.exe_crypted.exe
 
When executed, Trojan:Win32/Ramnit.A copies itself as one of the following:
 
<system folder>\booyaka.exe
%ProgramFiles%\Microsoft\desktoplayer.exe
 
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
 
The malware appends registry data to ensure that its copy executes at each Windows start:
 
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Userinit"
With data: "%windir%\system32\userinit.exe,<trojan file name>,"
 
where the default data is: "%windir%\system32\userinit.exe,"
Payload
Allows limited remote access and control
The trojan opens TCP ports and connects to a remote server, such as "abuzamnet.info", using another TCP port to receive commands from an attacker. Instructions could include downloading and executing arbitrary malware.
 
Analysis by Patrick Nolan

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:

    crypt_abuzamnet.info_original.exe
  • crypt_new_ca_g1_enc.exe
    crypt_new_ca_g2.exe
    new_uk3.exe
    install.exe_crypted.exe
    <system folder>\booyaka.exe
  • The presence of the following registry modifications:

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  • Sets value: "Userinit"
    With data: "%windir%\system32\userinit.exe,booyaka.exe,"

Prevention


Alert level: Severe
First detected by definition: 1.81.100.0
Latest detected by definition: 1.177.2303.0 and higher
First detected on: Apr 21, 2010
This entry was first published on: Nov 09, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Wi-Trojan/Downloader.32768.UI (AhnLab)
  • W32/Downldr2.IWUS (Command)
  • TR/Dldr.FakeAV.mkn (Avira)
  • Win32/IRCBot.AIM (CA)
  • Win32/Agent.ODM (ESET)
  • Troja-Downloader.Win32.FraudLoad.gpn (Kaspersky)
  • Generic FakeAlert!gv (McAfee)
  • W32/Smalltroj.YDYV (Norman)
  • Trj/Zlob.KH (Panda)
  • Mal/FakeAV-CH (Sophos)
  • Backdoor.IRC.Bot (Symantec)
  • TROJ_FRAUDLO.LH (Trend Micro)
  • Trojan.DL.FraudLoad.AASG (VirusBuster)
  • BackDoor.Firepass.23 (Dr.Web)
  • Virtool:Win32/Obfuscator.FW (other)