Threat behavior
Virus:Win32/Ramnit.G is a detection for a virus that infects Windows executable files and HTML files, and spreads to removable drives. The virus attempts to open a backdoor and wait for instructions.
Installation
When executed, the virus drops a file as "<file_name>Srv.exe" (for example, "mytestSvr.exe"), where <file_name> is the file name of the infected executable. The dropped file is then executed. This file may be detected as Worm:Win32/Ramnit.A.
Virus:Win32/Ramnit.G also drops itself as "watermark.exe" under directory %program_files%\microsoft, which, when launched, will inject code into <system folder>\svchost.exe.
The malware also makes the following registry modification:
In subkey: "Userinit"
Sets value: "<system folder>\userinit.exe,,%program_files%\microsoft\watermark.exe"
With data: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Spreads via…
Infects files
Virus:Win32/Ramnit.G also infects .HTML files with .HTML or .HTM extension. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.B. Payload
Allows backdoor access and control
Virus:Win32/Ramnit.G creates a backdoor by connecting to a remote server. Using this backdoor, a remote attacker can instruct an affected computer to download and execute files.
In the wild, we have observed the malware contacting the following domains for this purpose:
- zahlung.name
- tybdtyutjfyvetscev.com
- ervwetyrbuyouiylkdhrbt.com
- wervynuuyjhnbvfservdy.com
- tybsyiutnrtvtybdrser.com
Analysis by Tim Liu
Prevention
