You have been re-routed to the Trojan:Win32/Ramnit.C write up because Trojan%3aWin32%2fRamnit.C has been renamed to Trojan:Win32/Ramnit.C


Microsoft security software detects and removes this threat.
This threat can be used to install other malware onto your PC.
See the Win32/Ramnit family description for more information.

What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Trojan:Win32/Ramnit.C is the generic detection for a DLL component dropped by other malware. It is used to load another malware.
Trojan:Win32/Ramnit.C is dropped by other malware as a DLL file with the following file name format:
  • <random characters>.cpl (for example, "kxxxacvv.cpl", "qrejtdcd.cpl")
It is usually dropped with an EXE file, for example, "kctcsugs.exe" and "rdkidfba.exe". Trojan:Win32/Ramnit.C creates a mutex named "INTEL_CEDR_STORE".
Runs other malware
Trojan:Win32/Ramnit.C creates a process to run the dropped EXE file, which may be detected as other malware such as Worm:Win32/Autorun.AAY
Analysis by Lena Lin


Alerts from your security software may be the only symptom.


Alert level: Severe
First detected by definition: 1.93.1757.0
Latest detected by definition: 1.201.692.0 and higher
First detected on: Nov 12, 2010
This entry was first published on: Jan 18, 2011
This entry was updated on: Sep 22, 2014

This threat is also detected as:
  • Win-Trojan/Starter.3584.F (AhnLab)
  • Trojan.Win32.Starter.yy (Kaspersky)
  • W32/Runner.NZ (Norman)
  • Trojan.Ramnit!iQNQL6zS3w0 (VirusBuster)
  • TR/Starter.Y (Avira)
  • Win32/Ramnit.H (CA)
  • Trojan.Starter.1591 (Dr.Web)
  • Win32/Ramnit.F (ESET)
  • Trojan.Win32.Ramnit (Ikarus)
  • W32/Ramnit.a (McAfee)
  • Trj/Starter.G (Panda)
  • TROJ_STARTER.SM (Trend Micro)