Warning message... Link to action
In MITRE's evaluation of EDR solutions, Windows Defender ATP demonstrated industry-leading optics and detection capabilities Read the blog: Insights from the MITRE evaluation
Win32/Ramnit
Severe |Detected with Windows Defender Antivirus
Aliases: No associated aliases
Summary
Windows Defender Antivirus detects and removes this threat.
This malware family steals your sensitive information, such as your bank user names and passwords. It can also give a malicious hacker access and control of your PC, and stop your security software from running.
These threats can be installed on your PC through an infected removable drive, such as a USB flash drive.
Run antivirus or antimalware software
Use the following free Microsoft software to detect and remove this threat:
- Windows Defender Antivirus for Windows 10 and Windows 8.1, or Microsoft Security Essentials for Windows 7 and Windows Vista
- Microsoft Safety Scanner
- Microsoft Windows Malicious Software Removal Tool
You should also run a full scan. A full scan might find hidden malware.
Advanced troubleshooting
To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.
Get more help
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
If you’re using Windows XP, see our Windows XP end of support page.
NOTE: The Microsoft Windows Malicious Software Removal Tool automatically restores the default Windows security setting as it remediates this malware issue. However, if you encounter any issues, you can also manually enable the Windows functions that the malware disabled to tamper with your system and lower your Windows security.
- Enable the LUA (Least Privileged User Account), also known as the "administrator in Admin Approval Mode" user type, by modifying the following registry entries:
- In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "1" - Delete the following keys which do not exist by default:
- HKLM\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride
- HKLM\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify
- HKLM\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify
- HKLM\SOFTWARE\Microsoft\Security Center\\FirewallOverride
- HKLM\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify
- HKLM\SOFTWARE\Microsoft\Security Center\\UacDisableNotify
- HKLM\SOFTWARE\Microsoft\Security Center\Svc\\AntiVirusOverride
- HKLM\SOFTWARE\Microsoft\Security Center\Svc\\AntiVirusDisableNotify
- HKLM\SOFTWARE\Microsoft\Security Center\Svc\\FirewallDisableNotify
- HKLM\SOFTWARE\Microsoft\Security Center\Svc\\FirewallOverride
- HKLM\SOFTWARE\Microsoft\Security Center\Svc\\UpdatesDisableNotify
- HKLM\SOFTWARE\Microsoft\Security Center\Svc\\UacDisableNotify
- Enable the Windows Firewall by modifying the following registry entries:
- In subkey:HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Sets value:"EnableFirewall"
With data: "1" - In the Run command field, type services.msc to go to the Services manager console.
- Search for following services:
- Security Center
- Windows Defender Service
- Windows Firewall
- Windows Update
- Right-click, then go to Properties.
- Set the Startup type to Automatic.
Protect your sensitive information
This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:
You should change your passwords after you've removed this threat:
Advanced troubleshooting
To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.
Enable MAPS
Enable the Microsoft Active Protection Service (MAPS) on your system to protect your enterprise software security infrastructure in the cloud.
-
Check if MAPS is enabled in your Microsoft security product:
-
Select Settings and then select MAPS.
-
Select Advanced membership, then click Save changes. With the MAPS option enabled, your Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service.
- Join the Microsoft Active Protection Service Community.
Get more help
You can also ask for help from other PC users at the Microsoft virus and malware community.
If you’re using Windows XP, see our Windows XP end of support page.
Threat behavior
Installation
The threat copies itself using a hard-coded name or, in some cases, with a random file name to a random folder, for example:
- %ProgramFiles%\Microsoft\desktoplayer.exe
- %ProgramFiles% \blvvcvww\jonimvgn.exe
- %ProgramFiles% \Microsoft\watermark.exe
Some variants copy themselves to the %TEMP% folder with a random name, for example lvjekdwi.exe, hvhvufsa.exe.
This file might be detected as Worm:Win32/Ramnit.A or by another similar detection name.
It creates the following registry entry to ensure that it runs each time you start your PC:
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Userinit"
With data: "<system folder>\userinit.exe, <malware folder path and file name>", for example "%ProgramFiles%\Microsoft\watermark.exe"
Win32/Ramnit launches a new instance of the system process svchost.exe and injects code into it. If the malware is unable to inject its code into svchost, it searches for your default web browser and injects its code into the browser's process.
The malware hooks the following APIs for this purpose:
- ZwCreateUserProcess
- ZwWriteVirtualMemory
The infection and backdoor functionality occurs in the web browser process context; it might do this to avoid detection and make cleaning an infection more difficult.
Spreads through…
File infection
Older variants of Win32/Ramnit spread by infecting certain files with virus code. However, we have seen new variants without this file-infection functionality. The reason for the removal of this functionality in new variants might be to hinder detection and removal of the variant.
Older versions of the malware infect:
- Windows executable files with a file extension of .exe, .dll, and .scr.
The infected executables might be detected as Virus:Win32/Ramnit.A or by another similar detection name.
- HTML document files with .html or .htm extensions.
The infected HTML files might be detected as Virus:VBS/Ramnit.A or by another similar detection name. The infected HTML files have an appended VBScript. When the infected HTML file is loaded by a web browser, the VBScript might drop a copy of Win32/Ramnit as %TEMP%\svchost.exe and then run the copy.
- Microsoft Office OLE document files with .doc, .docx, or .xls file extensions.
The infected document might be detected as Virus:O97M/Ramnit. The infected document contains a macro which will attempt to run when the document is opened. The macro might drop a copy of Win32/Ramnit as %TEMP%\wdexplore.exe and then run the copy.
Removable and network drives
Win32/Ramnit makes copies of the installer to removable drives with a random file name. The file might also be placed in a randomly-named directory in the \RECYCLER\folder in the root of the drive, as in the following example:
<drive:> \RECYCLER\s-5-1-04-5443402830-2472267086-003818317-4634\rdkidfba.exe
It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files tell the operating system to launch the malware file automatically when the network drive is accessed from another PC that supports the Autorun feature.
This is particularly common malware behavior, generally used to spread malware from PC to PC.
It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs.
Payload
Connects to a remote server
Win32/Ramnit connects and sends information to a remote server, which it connects through TCP port 443.
The malware generates the name of the command and control server using domain generation algorithm (DGA), for example:
- caytmlnlrou.com
- cxviaodxefolgkokdqy.com
- empsqyowjuvvsvrwj.com
- gokbwlivwvgqlretxd.com
- htmthgurhtchwlhwklf.com
- jiwucjyxjibyd.com
- khddwukkbwhfdiufhaj.com
- ouljuvkvn.com
- qbsqnpyyooh.com
- snoknwlgcwgaafbtqkt.com
- swbadolov.com
- tfgyaoingy.com
- tiqfgpaxvmhsxtk.com
- ubkfgwqslhqyy.com
- ukiixagdbdkd.com
- vwaeloyyutodtr.com
The malware downloads other components from the server. These components change often, and can perform the following actions:
- Steal FTP credentials (user names and passwords)
- Enable backdoor access and control via "virtual network computing" (VNC)
- Steal bank credentials (user names and passwords)
-
End or close certain antimalware programs
Win32/Ramnit can receive additional instructions from the server, including instructions to:
- Download other malware
- Shut down your PC
- Take a screenshot
- Update the malware to the latest version
- Send collected information about cookies on your PC to the server
- Delete cookies stored on your PC
Win32/Ramnit sends information about your PC to the server, including the following:
- The name of your PC
- The number of processes your PC has
- The type of processor
- The serial number of your PC's hard disk volume
- The version and build of your operating system
The malware also receives a list of antimalware products from the remote server. It then closes or stops any processes related to those antimalware products.
Steals sensitive data
Win32/Ramnit might steal stored FTP passwords and user names from a number of common FTP applications, including:
- 32bit FTP
- BulletproofFTP
- ClassicFTP
- Coffee cup ftp
- Core Ftp
- Cute FTP
- Directory opus
- Far Manager
- FFFtp
- FileZilla
- FlashXp
- Fling
- Frigate 3
- FtpCommander
- FtpControl
- FtpExplorer
- LeapFtp
- NetDrive
- SmartFtp
- SoftFx FTP
- TurboFtp
- WebSitePublisher
- Windows/Total commander
- WinScp
- WS FTP
Win32/Ramnit might also steal bank credentials by hooking the following APIs:
- HttpOpenRequestA
- HttpOpenRequestW
- HttpSendRequestA
- HttpSendRequestExA
- HttpSendRequestExW
- HttpSendRequestW
- InternetCloseHandle
- InternetOpenUrlA
- InternetOpenUrlW
- InternetQueryDataAvailable
- InternetReadFile
- InternetReadFileExA
- InternetReadFileExW
- InternetWriteFile
The malware collects stored browser cookies from the following web browsers:
- Chrome
- Firefox
- Internet Explorer
- Opera
- Safari
The captured credentials are then sent to a remote server for collection by a hacker.
Disables security and antimalware software and services
The malware disables certain Windows functions that are designed to keep your PC safer and more secure. It disables these functions by making a number of registry modifications.
- It disables the LUA (Least Privileged User Account), also known as the "administrator in Admin Approval Mode" user type, by making the following registry modifications:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"
- It disables Windows Security Center:
In subkey: HKLM\SOFTWARE\Microsoft\Security Center
Sets value: "AntiVirusOverride"
With data: "1"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Sets value: "Start"
With data: "4"
- It disables Windows Defender:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\WinDefend
Sets value: "Start"
With data: "4"
- It disables the Windows Update AutoUpdate Service:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Sets value: "Start"
With data: "4"
- It disables the Windows Firewall:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Sets value: "EnableFirewall"
With data: "0"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc
Sets value: "Start"
With data: "4"
- It disables the RapportMgmtService, if it exists on your PC. This service belongs to Rapport, which is a security program that you or your network administrator might have installed on your PC.
- It might also disable or close certain antimalware products, including AVG Antivirus 2013.
The malware also tampers with your default Windows security settings by enabling the following functions:
- In subkey: HKLM\SOFTWARE\Microsoft\Security Center
Sets value: "AntiVirusOverride"
With data: "1" - Sets value: "AntiVirusDisableNotify"
With data: "1" - Sets value: "FirewallDisableNotify"
With data: "1" - Sets value: "FirewallOverride"
With data: "1" - Sets value: "UpdatesDisableNotify"
With data: "1" - Sets value: "UacDisableNotify"
With data: "1" - In subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
Sets value: "AntiVirusOverride"
With data: "1" - Sets value: "AntiVirusDisableNotify"
With data: "1" - Sets value: "FirewallDisableNotify"
With data: "1" - Sets value: "FirewallOverride"
With data: "1" - Sets value: "UpdatesDisableNotify"
With data: "1" - Sets value: "UacDisableNotify"
With data: "1"
Further reading
- Ramnit - The renewed bot in town
- Little Red Ramnit: My, what big eyes you have, Grandma!
- Microsoft Security Intelligence Report Volume 11: January - June 2011
- Ramnit evolution – From worm to financial malware
- Ramnit goes social
Analysis by Scott Molenkamp, Karthik Selvaraj, and Tim Liu
Prevention
The following can indicate that you have this threat on your PC:
- Your antimalware or security product might not work correctly, or might not work at all.
- You have these files:
"%TEMP%\wdexplore.exe"
"%TEMP%\svchost.exe
- You see these entries or keys in your registry:
- In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Userinit"
With data: "<system folder>\userinit.exe, <malware folder path and file name>", for example "%ProgramFiles%\Microsoft\watermark.exe" - In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0" - In subkey: HKLM\SOFTWARE\Microsoft\Security Center
Sets value: "AntiVirusOverride"
With data: "1" - In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Sets value: "Start"
With data: "4" - In subkey: HKLM\SYSTEM\CurrentControlSet\Services\WinDefend
Sets value: "Start"
With data: "4" - In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Sets value: "Start"
With data: "4" - In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Sets value: "EnableFirewall"
With data: "0" - In subkey: HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc
Sets value: "Start"
With data: "4" -
In subkey: HKLM\SOFTWARE\Microsoft\Security Center
Sets value: "AntiVirusOverride"
With data: "1 - Sets value: "AntiVirusDisableNotify"
With data: "1" - Sets value: "FirewallDisableNotify"
With data: "1" - Sets value: "FirewallOverride"
With data: "1" - Sets value: "UpdatesDisableNotify"
With data: "1 - Sets value: "UacDisableNotify"
With data: "1 - In subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
Sets value: "AntiVirusOverride"
With data: "1 - Sets value: "AntiVirusDisableNotify"
With data: "1 - Sets value: "FirewallDisableNotify"
With data: "1" - Sets value: "FirewallOverride"
With data: "1" - Sets value: "UpdatesDisableNotify"
With data: "1" - Sets value: "UacDisableNotify"
With data: "1"
