Microsoft security software detects and removes this threat.

This virus infects Windows executable files (.EXE) and HTML files (.HTML). It can also give a malicious hacker access to your PC.

It spreads through infected removable drives, such as USB flash drives.

What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Scan removable drives

Remember to scan any removable or portable drives. If you have Microsoft security software, see this topic on our software help page:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior


When the virus runs, it drops a file as "<file name>Srv.exe" (for example, "mytestSvr.exe"), where <file name> is the file name of the infected executable. The dropped file is then run.

This file might be detected as Worm:Win32/Ramnit.A.

Spreads via…

Infects files

Virus:Win32/Ramnit.A infects .HTML files with .HTML or .HTM extensions. The infected .HTML or .HTM files might be detected as Virus:VBS/Ramnit.A.


Allows backdoor access and control / Connects to remote server

Virus:Win32/Ramnit.A creates a backdoor by connecting to a remote server. Using this backdoor, a remote hacker can perform any number of actions, including downloading and running files on the infected PC.

See the description for Worm:Win32/Ramnit.A for more details on how the malware downloads and runs files.

Injects code

The virus creates a default web browser process (which you won't be able to see) and injects code into it.

It might do this as a way to avoid detection and make it more difficult to remove from an infected PC.

Analysis by Chun Feng


The following could indicate that you have this threat on your PC:

  • You have this file:

    <file name>Srv.exe


Alert level: Severe
First detected by definition: 1.87.465.0
Latest detected by definition: 1.185.355.0 and higher
First detected on: Jul 23, 2010
This entry was first published on: Aug 09, 2010
This entry was updated on: Aug 22, 2014

This threat is also detected as:
  • Type_Win32 (Kaspersky)
  • Win32/Zbot.A (AVG)
  • W32/Infector.Gen2 (Avira)
  • Win32/Ramnit.A (CA)
  • Win32.Rmnet (Dr.Web)
  • W32.Infector (Ikarus)
  • W32/Ramnit.a (McAfee)
  • W32/Patched-I (Sophos)
  • PE_RAMNIT.A (Trend Micro)