Worm:Win32/Ramnit.A is a worm that is dropped by a  Virus:Win32/Ramnit.A-infected executable.

What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
For more information on antivirus software, see

Threat behavior

Worm:Win32/Ramnit.A is a worm that is dropped by a  Virus:Win32/Ramnit.A-infected executable.
When executed, Worm:Win32/Ramnit.A copies itself to %program_files%\microsoft\desktoplayer.exe.
Worm:Win32/Ramnit.A also creates a mutex named "KyUffThOkYwRRtgPP".
Injects code
Worm:Win32/Ramnit.A launches the default web browser and injects code to it.
The injected code may be detected as Virus:Win32/Ramnit.A!dll, which contains the file infection functionality. (Refer to Virus:Win32/Ramnit.A!dll for more details)
See the description for Virus:Win32/Ramnit.A!dll for more details on the injected code.
Analysis by Chun Feng


System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:



Alert level: Severe
First detected by definition: 1.87.465.0
Latest detected by definition: 1.183.1399.0 and higher
First detected on: Jul 23, 2010
This entry was first published on: Aug 10, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • (Kaspersky)
  • Trojan horse SHeur3.ANKJ (AVG)
  • TR/Crypt.ZPACK.Gen (Avira)
  • Win32/Ramnit.A (CA)
  • Packed.Win32.Krap (Ikarus)
  • Trj/Krap.Y (Panda)
  • Mal/Zbot-U (Sophos)
  • Trojan.Win32.Generic!BT (Sunbelt Software)