Follow:

 

Win32/Ramnit


Microsoft security software detects and removes this threat.

This malware family steals your sensitive information, such as your bank user names and passwords. It can also give a malicious hacker access and control of your PC, and stop your security software from running.

These threats can be installed on your PC through an infected removable drive, such as a USB flash drive.



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find hidden malware.

NOTE: The Microsoft Windows Malicious Software Removal Tool automatically restores the default Windows security setting as it remediates this malware issue. However, if you encounter any issues, you can also manually enable the Windows functions that the malware disabled to tamper with your system and lower your Windows security.

  1. Enable the LUA (Least Privileged User Account), also known as the "administrator in Admin Approval Mode" user type, by modifying the following registry entries:                                                                                      
    • In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
      Sets value: "EnableLUA"
      With data: "1"
  2. Delete the following keys which do not exist by default:
    • HKLM\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride
    • HKLM\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify
    • HKLM\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify
    • HKLM\SOFTWARE\Microsoft\Security Center\\FirewallOverride
    • HKLM\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify
    • HKLM\SOFTWARE\Microsoft\Security Center\\UacDisableNotify
    • HKLM\SOFTWARE\Microsoft\Security Center\Svc\\AntiVirusOverride
    • HKLM\SOFTWARE\Microsoft\Security Center\Svc\\AntiVirusDisableNotify
    • HKLM\SOFTWARE\Microsoft\Security Center\Svc\\FirewallDisableNotify
    • HKLM\SOFTWARE\Microsoft\Security Center\Svc\\FirewallOverride
    • HKLM\SOFTWARE\Microsoft\Security Center\Svc\\UpdatesDisableNotify
    • HKLM\SOFTWARE\Microsoft\Security Center\Svc\\UacDisableNotify
  3. Enable the Windows Firewall by modifying the following registry entries:                                                                                                            
    • In subkey:HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
      Sets value:"EnableFirewall"
      With data: "1"
  4. In the Run command field, type services.msc to go to the Services manager console.
  5. Search for following services:
    • Security Center
    • Windows Defender Service
    • Windows Firewall
    • Windows Update
  6. Right-click, then go to Properties.
  7. Set the Startup type to Automatic
Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

Get more help

You can also ask for help from other PC users at the Microsoft virus and malware community.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

The threat copies itself using a hard-coded name or, in some cases, with a random file name to a random folder, for example:

Some variants copy themselves to the %TEMP% folder with a random name, for example lvjekdwi.exe, hvhvufsa.exe.

This file might be detected as Worm:Win32/Ramnit.A or by another similar detection name.

It creates the following registry entry to ensure that it runs each time you start your PC:

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Userinit"
With data: "<system folder>\userinit.exe, <malware folder path and file name>", for example "%ProgramFiles%\Microsoft\watermark.exe

Win32/Ramnit launches a new instance of the system process svchost.exe and injects code into it. If the malware is unable to inject its code into svchost, it searches for your default web browser and injects its code into the browser's process.

The malware hooks the following APIs for this purpose:

  • ZwWriteVirtualMemory
  • ZwCreateUserProcess

The infection and backdoor functionality occurs in the web browser process context; it might do this in order to avoid detection and make cleaning an infection more difficult.

Spreads via…

File infection

Older variants of Win32/Ramnit spread by infecting certain files with virus code. New variants, however, have been observed without this file-infection functionality. The reason for the removal of this functionality in new variants might be to hinder detection and removal of the variant.

A description of this file infection functionality is as follows:

Win32/Ramnit infects Windows executable files with a file extension of .exe, .dll, and .scr. The infected executables might be detected as Virus:Win32/Ramnit.A or by another similar detection name.

Win32/Ramnit infects HTML document files with .html or .htm extensions. The infected HTML files might be detected as Virus:VBS/Ramnit.A or by another similar detection name. The infected HTML files have an appended VBScript. When the infected HTML file is loaded by a web browser, the VBScript might drop a copy of Win32/Ramnit as %TEMP%\svchost.exe and then run the copy.

Win32/Ramnit also infects Microsoft Office OLE document files with .doc, .docx, or .xls file extensions. The infected document might be detected as Virus:O97M/Ramnit. The infected document contains a macro which will attempt to run when the document is opened. The macro might drop a copy of Win32/Ramnit as %TEMP%\wdexplore.exe and then run the copy.

Removable and network drives

Win32/Ramnit makes copies of the installer to removable drives with a random file name. The file might also be placed in a randomly-named directory in the \RECYCLER\folder in the root of the drive, as in the following example:

<drive:> \RECYCLER\s-5-1-04-5443402830-2472267086-003818317-4634\rdkidfba.exe

It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files tell the operating system to launch the malware file automatically when the network drive is accessed from another PC that supports the Autorun feature.

This is particularly common malware behavior, generally used to spread malware from PC to PC.

It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs.

Payload

Connects to a remote server

Win32/Ramnit  connects and sends information to a remote server, which it connects to via TCP port 443.

The malware generates the name of the command and control server using domain generation algorithm (DGA), for example:

  • caytmlnlrou.com
  • cxviaodxefolgkokdqy.com
  • empsqyowjuvvsvrwj.com
  • gokbwlivwvgqlretxd.com
  • htmthgurhtchwlhwklf.com
  • jiwucjyxjibyd.com
  • khddwukkbwhfdiufhaj.com
  • ouljuvkvn.com
  • qbsqnpyyooh.com
  • snoknwlgcwgaafbtqkt.com
  • swbadolov.com
  • tfgyaoingy.com
  • tiqfgpaxvmhsxtk.com
  • ubkfgwqslhqyy.com
  • ukiixagdbdkd.com
  • vwaeloyyutodtr.com

The malware downloads other components from the server. These components change often, and can perform the following actions:

  • Steal FTP credentials (user names and passwords)
  • Enable backdoor access and control via "virtual network computing" (VNC)
  • Steal bank credentials (user names and passwords)
  • End or close certain antimalware programs

Win32/Ramnit can receive additional instructions from the server, including:

  • Download other malware
  • Shut down your PC
  • Take a screenshot
  • Update the malware to the latest version
  • Send collected information about cookies on your PC to the server
  • Delete cookies stored on your PC

Win32/Ramnit sends information about your PC to the server, including the following:

  • The name of your PC
  • The number of processes your PC has
  • The type of processor
  • The serial number of your PC's hard disk volume
  • The version and build of your operating system

The malware also receives a list of antimalware products from the remote server. It then closes or stops any processes related to those antimalware products.

Steals sensitive data

Win32/Ramnit might steal stored FTP passwords and user names from a number of common FTP applications, including:

  • 32bit FTP
  • BulletproofFTP
  • ClassicFTP
  • Coffee cup ftp
  • Core Ftp
  • Cute FTP
  • Directory opus
  • Far Manager
  • FFFtp
  • FileZilla
  • FlashXp
  • Fling
  • Frigate 3
  • FtpCommander
  • FtpControl
  • FtpExplorer
  • LeapFtp
  • NetDrive
  • SmartFtp
  • SoftFx FTP
  • TurboFtp
  • WebSitePublisher
  • Windows/Total commander
  • WinScp
  • WS FTP

Win32/Ramnit might also steal bank credentials by hooking the following APIs:

  • HttpOpenRequestA
  • HttpOpenRequestW
  • HttpSendRequestA
  • HttpSendRequestExA
  • HttpSendRequestExW
  • HttpSendRequestW
  • InternetCloseHandle
  • InternetOpenUrlA
  • InternetOpenUrlW
  • InternetQueryDataAvailable
  • InternetReadFile
  • InternetReadFileExA
  • InternetReadFileExW
  • InternetWriteFile

The malware collects stored browser cookies from the following web browsers:

  • Chrome
  • Firefox
  • Internet Explorer
  • Opera
  • Safari

The captured credentials are then sent to a remote server for collection by a hacker.

Disables security and antimalware software and services

The malware disables certain Windows functions that are designed to keep your PC safer and more secure. It disables these functions by making a number of registry modifications.

  • It disables the LUA (Least Privileged User Account), also known as the "administrator in Admin Approval Mode" user type, by making the following registry modifications:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"

  • It disables Windows Security Center:

In subkey: HKLM\SOFTWARE\Microsoft\Security Center
Sets value: "AntiVirusOverride"
With data: "1"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Sets value: "Start"
With data: "4"

  • It disables Windows Defender:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\WinDefend
Sets value: "Start"
With data: "4"

  • It disables the Windows Update AutoUpdate Service

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Sets value: "Start"
With data: "4"

  • It disables the Windows Firewall:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Sets value: "EnableFirewall"
With data: "0"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc
Sets value: "Start"
With data: "4"

  • It disables the RapportMgmtService, if it exists on your PC. This service belongs to Rapport, which is a security program that you or your network administrator might have installed on your PC.
  • It might also disable or close certain antimalware products, including AVG Antivirus 2013.

The malware also tampers with your default Windows security settings by enabling the following functions:

  • In subkey: HKLM\SOFTWARE\Microsoft\Security Center
    Sets value: "AntiVirusOverride"
    With data: "1"
    • Sets value: "AntiVirusDisableNotify"
      With data: "1"
    • Sets value: "FirewallDisableNotify"
      With data: "1"
    • Sets value: "FirewallOverride"
      With data: "1"
    • Sets value: "UpdatesDisableNotify"
      With data: "1"
    • Sets value: "UacDisableNotify"
      With data: "1"
  • In subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
    Sets value: "AntiVirusOverride"
    With data: "1"
    • Sets value: "AntiVirusDisableNotify"
      With data: "1"
    • Sets value: "FirewallDisableNotify"
      With data: "1"
    • Sets value: "FirewallOverride"
      With data: "1"
    • Sets value: "UpdatesDisableNotify"
      With data: "1"
    • Sets value: "UacDisableNotify"
      With data: "1"
Further reading

Analysis by Scott Molenkamp, Karthik Selvaraj, and Tim Liu


Symptoms

The following can indicate that you have this threat on your PC:

  • Your antimalware or security product might not work correctly, or might not work at all
  • You have these files:
     
    "%TEMP%\wdexplore.exe"
    "%TEMP%\svchost.exe
     
  • You see these entries or keys in your registry:
    • In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
      Sets value: "Userinit"
      With data: "<system folder>\userinit.exe, <malware folder path and file name>", for example "%ProgramFiles%\Microsoft\watermark.exe
    • In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
      Sets value: "EnableLUA"
      With data: "0"
    • In subkey: HKLM\SOFTWARE\Microsoft\Security Center
      Sets value: "AntiVirusOverride"
      With data: "1"
    • In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
      Sets value: "Start"
      With data: "4"
    • In subkey: HKLM\SYSTEM\CurrentControlSet\Services\WinDefend
      Sets value: "Start"
      With data: "4"
    • In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
      Sets value: "Start"
      With data: "4"
    • In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
      Sets value: "EnableFirewall"
      With data: "0"
    • In subkey: HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc
      Sets value: "Start"
      With data: "4"
    • In subkey: HKLM\SOFTWARE\Microsoft\Security Center
      Sets value: "AntiVirusOverride"
      With data: "1

      • Sets value: "AntiVirusDisableNotify"
        With data: "1"
      • Sets value: "FirewallDisableNotify"
        With data: "1"
      • Sets value: "FirewallOverride"
        With data: "1"
      • Sets value: "UpdatesDisableNotify"
        With data: "1
      • Sets value: "UacDisableNotify"
        With data: "1
    • In subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
      Sets value: "AntiVirusOverride"
      With data: "1
      • Sets value: "AntiVirusDisableNotify"
        With data: "1
      • Sets value: "FirewallDisableNotify"
        With data: "1"
      • Sets value: "FirewallOverride"
        With data: "1"
      • Sets value: "UpdatesDisableNotify"
        With data: "1"
      • Sets value: "UacDisableNotify"
        With data: "1"

Prevention


Alert level: Severe
This entry was first published on: May 10, 2011
This entry was updated on: Dec 09, 2014

This threat is also detected as:
No known aliases