Win32/Ramnit

Installation

The threat copies itself using a hard-coded name or, in some cases, with a random file name to a random folder, for example:

• %ProgramFiles%\Microsoft\desktoplayer.exe
• %ProgramFiles% \blvvcvww\jonimvgn.exe
• %ProgramFiles% \Microsoft\watermark.exe

Some variants copy themselves to the %TEMP% folder with a random name, for example lvjekdwi.exe, hvhvufsa.exe.  

This file might be detected as Worm:Win32/Ramnit.A or by another similar detection name.

It creates the following registry entry to ensure that it runs each time you start your PC:

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Userinit"
With data: "<system folder>\userinit.exe, <malware folder path and file name>", for example "%ProgramFiles%\Microsoft\watermark.exe" 

Win32/Ramnit launches a new instance of the system process svchost.exe and injects code into it. If the malware is unable to inject its code into svchost, it searches for your default web browser and injects its code into the browser's process.

The malware hooks the following APIs for this purpose:

• ZwCreateUserProcess
• ZwWriteVirtualMemory

The infection and backdoor functionality occurs in the web browser process context; it might do this to avoid detection and make cleaning an infection more difficult.

Spreads through…

File infection

Older variants of Win32/Ramnit spread by infecting certain files with virus code. However, we have seen new variants without this file-infection functionality. The reason for the removal of this functionality in new variants might be to hinder detection and removal of the variant. 

Older versions of the malware infect:

• Windows executable files with a file extension of .exe, .dll, and .scr.

The infected executables might be detected as Virus:Win32/Ramnit.A or by another similar detection name.

• HTML document files with .html or .htm extensions.

The infected HTML files might be detected as Virus:VBS/Ramnit.A or by another similar detection name. The infected HTML files have an appended VBScript. When the infected HTML file is loaded by a web browser, the VBScript might drop a copy of Win32/Ramnit as %TEMP%\svchost.exe and then run the copy.

• Microsoft Office OLE document files with .doc, .docx, or .xls file extensions.

The infected document might be detected as Virus:O97M/Ramnit. The infected document contains a macro which will attempt to run when the document is opened. The macro might drop a copy of Win32/Ramnit as %TEMP%\wdexplore.exe and then run the copy.

Removable and network drives

Win32/Ramnit makes copies of the installer to removable drives with a random file name. The file might also be placed in a randomly-named directory in the \RECYCLER\folder in the root of the drive, as in the following example:

<drive:> \RECYCLER\s-5-1-04-5443402830-2472267086-003818317-4634\rdkidfba.exe

It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files tell the operating system to launch the malware file automatically when the network drive is accessed from another PC that supports the Autorun feature.

This is particularly common malware behavior, generally used to spread malware from PC to PC.

It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs.

Payload

Connects to a remote server

Win32/Ramnit connects and sends information to a remote server, which it connects through TCP port 443.

The malware generates the name of the command and control server using domain generation algorithm (DGA), for example:

• caytmlnlrou.com
• cxviaodxefolgkokdqy.com
• empsqyowjuvvsvrwj.com
• gokbwlivwvgqlretxd.com
• htmthgurhtchwlhwklf.com
• jiwucjyxjibyd.com
• khddwukkbwhfdiufhaj.com
• ouljuvkvn.com
• qbsqnpyyooh.com
• snoknwlgcwgaafbtqkt.com
• swbadolov.com
• tfgyaoingy.com
• tiqfgpaxvmhsxtk.com
• ubkfgwqslhqyy.com
• ukiixagdbdkd.com
• vwaeloyyutodtr.com

The malware downloads other components from the server. These components change often, and can perform the following actions:

• Steal FTP credentials (user names and passwords)
• Enable backdoor access and control via "virtual network computing" (VNC)
• Steal bank credentials (user names and passwords)

• End or close certain antimalware programs

Win32/Ramnit can receive additional instructions from the server, including instructions to:

• Download other malware
• Shut down your PC
• Take a screenshot
• Update the malware to the latest version
• Send collected information about cookies on your PC to the server
• Delete cookies stored on your PC

Win32/Ramnit sends information about your PC to the server, including the following:

• The name of your PC
• The number of processes your PC has
• The type of processor
• The serial number of your PC's hard disk volume
• The version and build of your operating system

The malware also receives a list of antimalware products from the remote server. It then closes or stops any processes related to those antimalware products.

Steals sensitive data

Win32/Ramnit might steal stored FTP passwords and user names from a number of common FTP applications, including:

• 32bit FTP
• BulletproofFTP
• ClassicFTP
• Coffee cup ftp
• Core Ftp
• Cute FTP
• Directory opus
• Far Manager
• FFFtp
• FileZilla
• FlashXp
• Fling
• Frigate 3
• FtpCommander
• FtpControl
• FtpExplorer
• LeapFtp
• NetDrive
• SmartFtp
• SoftFx FTP
• TurboFtp
• WebSitePublisher
• Windows/Total commander
• WinScp
• WS FTP

Win32/Ramnit might also steal bank credentials by hooking the following APIs:

• HttpOpenRequestA
• HttpOpenRequestW
• HttpSendRequestA
• HttpSendRequestExA
• HttpSendRequestExW
• HttpSendRequestW
• InternetCloseHandle
• InternetOpenUrlA
• InternetOpenUrlW
• InternetQueryDataAvailable
• InternetReadFile
• InternetReadFileExA
• InternetReadFileExW
• InternetWriteFile

The malware collects stored browser cookies from the following web browsers:

• Chrome
• Firefox
• Internet Explorer
• Opera
• Safari

The captured credentials are then sent to a remote server for collection by a hacker.

Disables security and antimalware software and services

The malware disables certain Windows functions that are designed to keep your PC safer and more secure. It disables these functions by making a number of registry modifications.

• It disables the LUA (Least Privileged User Account), also known as the "administrator in Admin Approval Mode" user type, by making the following registry modifications:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"

• It disables Windows Security Center:

In subkey: HKLM\SOFTWARE\Microsoft\Security Center
Sets value: "AntiVirusOverride"
With data: "1"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Sets value: "Start"
With data: "4"

• It disables Windows Defender:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\WinDefend
Sets value: "Start"
With data: "4"

• It disables the Windows Update AutoUpdate Service: 

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Sets value: "Start"
With data: "4"

• It disables the Windows Firewall:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Sets value: "EnableFirewall"
With data: "0"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc
Sets value: "Start"
With data: "4"

• It disables the RapportMgmtService, if it exists on your PC. This service belongs to Rapport, which is a security program that you or your network administrator might have installed on your PC.
• It might also disable or close certain antimalware products, including AVG Antivirus 2013.

The malware also tampers with your default Windows security settings by enabling the following functions:

• In subkey: HKLM\SOFTWARE\Microsoft\Security Center
  Sets value: "AntiVirusOverride"
  With data: "1"
• Sets value: "AntiVirusDisableNotify"
  With data: "1"
• Sets value: "FirewallDisableNotify"
  With data: "1"
• Sets value: "FirewallOverride"
  With data: "1"
• Sets value: "UpdatesDisableNotify"
  With data: "1"
• Sets value: "UacDisableNotify"
  With data: "1"
• In subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
  Sets value: "AntiVirusOverride"
  With data: "1"
• Sets value: "AntiVirusDisableNotify"
  With data: "1"
• Sets value: "FirewallDisableNotify"
  With data: "1"
• Sets value: "FirewallOverride"
  With data: "1"
• Sets value: "UpdatesDisableNotify"
  With data: "1"
• Sets value: "UacDisableNotify"
  With data: "1"

Further reading

• Ramnit - The renewed bot in town
• Little Red Ramnit: My, what big eyes you have, Grandma!
• Microsoft Security Intelligence Report Volume 11: January - June 2011
• Ramnit evolution – From worm to financial malware
• Ramnit goes social

Analysis by Scott Molenkamp, Karthik Selvaraj, and Tim Liu