Follow:

 

Virus:Win32/Ramnit.A!dll


Virus:Win32/Ramnit.A!dll is a component which is injected into the default web browser process by Worm:Win32/Ramnit.A.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Virus:Win32/Ramnit.A!dll is a component which is injected into the default web browser process by Worm:Win32/Ramnit.A.
Installation
Virus:Win32/Ramnit.A!dll modifies the registry to make sure the component of Worm:Win32/Ramnit.A is loaded at each Windows start:
 
Modifies value: "Userinit"
From data: "<system folder>\userinit.exe"
To data: "<system folder>\userinit.exe,,%program_files%\microsoft\desktoplayer.exe" 
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Spreads via…
File infection
Virus:Win32/Ramnit.A!dll infects Windows executable files with a file extension of ".EXE" and ".DLL". The infected executables may be detected as Virus:Win32/Ramnit.A.
 
Removable drives
Virus:Win32/Ramnit.A!dll copies Worm:Win32/Ramnit.A to removable drives with a random file name.
 
The virus then writes an Autorun configuration file named "autorun.inf" pointing to the copied file. When the drive is accessed from a computer supporting the Autorun feature, the virus is launched automatically.
Payload
Allows backdoor access and control
When executed, Virus:Win32/Ramnit.A!dll connects to a remote server and waits for instructions. In the wild, Virus:Win32/Ramnit.A!dll  has been observed connecting to fget-career.com on port 443 for this purpose.
 
Using this backdoor, a remote attacker can instruct an affected machine to:
 
  • Download a file and execute it
  • Connect to another server and wait for instructions
 
Infects files
Virus:Win32/Ramnit.A!dll infects .HTML files; the infected HTML files may be detected as
 
Analysis by Chun Feng

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following registry modifications:
  • Modifies value: "Userinit"
    From data: "<system folder>\userinit.exe"
    To data: "<system folder>\userinit.exe,,%program_files%\microsoft\desktoplayer.exe" 
    To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Prevention


Alert level: Severe
First detected by definition: 1.87.1201.0
Latest detected by definition: 1.87.1201.0 and higher
First detected on: Aug 04, 2010
This entry was first published on: Aug 10, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • TR/Spy.Gen (Avira)
  • Win32.Rmnet (Dr.Web)
  • Trojan-Spy (Ikarus)
  • Mal/SillyFDC-A (Sophos)
  • W32.Ramnit!html (Symantec)