Follow:

 

Worm:Win32/Ramnit.A


Worm:Win32/Ramnit.A is a worm that is dropped by a  Virus:Win32/Ramnit.A-infected executable.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Worm:Win32/Ramnit.A is a worm that is dropped by a  Virus:Win32/Ramnit.A-infected executable.
Installation
When executed, Worm:Win32/Ramnit.A copies itself to %program_files%\microsoft\desktoplayer.exe.
 
Worm:Win32/Ramnit.A also creates a mutex named "KyUffThOkYwRRtgPP".
Payload
Injects code
Worm:Win32/Ramnit.A launches the default web browser and injects code to it.
 
The injected code may be detected as Virus:Win32/Ramnit.A!dll, which contains the file infection functionality. (Refer to Virus:Win32/Ramnit.A!dll for more details)
 
See the description for Virus:Win32/Ramnit.A!dll for more details on the injected code.
 
Analysis by Chun Feng

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:

    %program_files%\microsoft\desktoplayer.exe

Prevention


Alert level: Severe
First detected by definition: 1.87.465.0
Latest detected by definition: 1.183.1399.0 and higher
First detected on: Jul 23, 2010
This entry was first published on: Aug 10, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Packed.Win32.Krap.hm (Kaspersky)
  • Trojan horse SHeur3.ANKJ (AVG)
  • TR/Crypt.ZPACK.Gen (Avira)
  • Win32/Ramnit.A (CA)
  • Packed.Win32.Krap (Ikarus)
  • Trj/Krap.Y (Panda)
  • Mal/Zbot-U (Sophos)
  • Trojan.Win32.Generic!BT (Sunbelt Software)