Follow:

 

Virus:Win32/Ramnit.I


Virus:Win32/Ramnit.I is a detection for modified (or infected) files that install additional Ramnit components.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Virus:Win32/Ramnit.I is a detection for modified (or infected) files that install additional Ramnit components.
Payload
Drops other malware
When files detected as Virus:Win32/Ramnit.I are executed, they drop a file as "<Virus:Win32/Ramnit.I filename>srv.exe" (for example, if Virus:Win32/Ramnit.I was using the filename "mytest.exe", the dropped file would be "mytestsrv.exe"). The dropped file is then executed. This file may be detected as Worm:Win32/Ramnit.A.
 
The virus also drops another file as "<Virus:Win32/Ramnit.I filename>mgr.exe" (for example, if Virus:Win32/Ramnit.I was using the filename "mytest.exe", the dropped file would be "mytestmgr.exe. The dropped file is then executed. This file may be detected as Trojan:Win32/Ramnit.A.
 
Allows backdoor access and control
Win32/Ramnit creates a backdoor by connecting to a remote server. Using this backdoor, a remote attacker can instruct an affected computer to download and execute files.
 
It creates a default web browser process (which is invisible to users) and injects code to it, this is presumably for the purpose of bypassing a firewall.
 
See the description for Worm:Win32/Ramnit.A and Trojan:Win32/Ramnit.A for additional detail.
 
Analysis by Scott Molenkamp

Symptoms

System changes
There are no obvious symptoms that indicate the presence of this malware on an affected computer.

Prevention


Alert level: Severe
First detected by definition: 1.93.1519.0
Latest detected by definition: 1.183.695.0 and higher
First detected on: Nov 09, 2010
This entry was first published on: Mar 15, 2011
This entry was updated on: Apr 17, 2011

This threat is also detected as:
No known aliases