Virus:Win32/Ramnit.A!dll is a component which is injected into the default web browser process by Worm:Win32/Ramnit.A.
Virus:Win32/Ramnit.A!dll modifies the registry to make sure the component of Worm:Win32/Ramnit.A is loaded at each Windows start:
Modifies value: "Userinit"
From data: "<system folder>\userinit.exe"
To data: "<system folder>\userinit.exe,,%program_files%\microsoft\desktoplayer.exe"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Virus:Win32/Ramnit.A!dll infects Windows executable files with a file extension of ".EXE" and ".DLL". The infected executables may be detected as Virus:Win32/Ramnit.A.
Virus:Win32/Ramnit.A!dll copies Worm:Win32/Ramnit.A to removable drives with a random file name.
The virus then writes an Autorun configuration file named "autorun.inf" pointing to the copied file. When the drive is accessed from a computer supporting the Autorun feature, the virus is launched automatically.
Allows backdoor access and control
When executed, Virus:Win32/Ramnit.A!dll connects to a remote server and waits for instructions. In the wild, Virus:Win32/Ramnit.A!dll has been observed connecting to fget-career.com on port 443 for this purpose.
Using this backdoor, a remote attacker can instruct an affected machine to:
Download a file and execute it
Connect to another server and wait for instructions
Virus:Win32/Ramnit.A!dll infects .HTML files; the infected HTML files may be detected as
Analysis by Chun Feng