Follow:

 

Virus:VBS/Ramnit.D


Virus:VBS/Ramnit.D is a detection for a malicious VBScript appended to HTML files by a variant of Virus:Win32/Ramnit. When an infected HTML file is opened, Virus:VBS/Ramnit.D drops and runs a copy of either Trojan:Win32/Ramnit or Trojan:Win32/Ramnit.gen!A.


What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Virus:VBS/Ramnit.D is a detection for a malicious VBScript appended to HTML files by a variant of Virus:Win32/Ramnit. When an infected HTML file is opened, Virus:VBS/Ramnit.D drops and runs a copy of either Trojan:Win32/Ramnit or Trojan:Win32/Ramnit.gen!A.
Installation
This VBScript malware is appended to HTML files by a variant of Virus:Win32/Ramnit.
Payload
Drops and executes arbitrary files
Virus:VBS/Ramnit.D drops an executable binary into the user's Temporary folder and attempts to run it:
 
  • %USERPROFILE%\Local Settings\Temp\vsexplore.exe
 
This dropped file is detected as either Trojan:Win32/Ramnit or Trojan:Win32/Ramnit.gen!A.
 
If a file of the same name already exists in that folder, Virus:VBS/Ramnit.D replaces that file with this dropped file.
Additional information
The malware appends random characters to its body in an attempt to evade detection.
 
For more information about Trojan:Win32/Ramnit or Trojan:Win32/Ramnit.gen!A, see the descriptions elsewhere in the encyclopedia.
 
Analysis by Gilou Tenebro

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following file:

    %USERPROFILE%\Local Settings\Temp\vsexplore.exe

Prevention


Alert level: Severe
First detected by definition: 1.99.1343.0
Latest detected by definition: 1.103.344.0 and higher
First detected on: Mar 16, 2011
This entry was first published on: Mar 22, 2011
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • VBS/Ramnit.A (Command)
  • HTML.Ramnit.A (VirusBuster)
  • HTML/Drop.Agent.AB (Avira)
  • Trojan-Dropper.VBS.Inor (Ikarus)
  • W32/Cosmu.A (Panda)
  • Troj/Inor-Fam (Sophos)