Microsoft security software detects and removes this threat.

This threat steal you sensitive information, such as your saved FTP credentials and web browser cookies.

It spreads via infected removable drives, such as USB flash drives.

See the Win32/Ramnit family description for more information.

What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Get more help

You can also ask for help from other PC users at the Microsoft virus and malware community.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

This threat is part of a family of multi-component malware that infects Windows executable files, Microsoft Office files, and HTML files. Trojan:Win32/Ramnit is the detection for the file that runs viruses that spread via removable drives and steals sensitive information such as saved FTP credentials and browser cookies.

Trojan:Win32/Ramnit often arrives disguised as a valid application, for example:

  • AntiVir Command Line Scanner for Windows
  • Common File Format Explorer
  • Flash Player 6.0
  • Hex Workshop
  • Java(TM) Platform SE binary
  • Macromedia Flash Player 6.0
  • Macromedia Flash Player 7.0
  • Macromedia Flash Player 8.0
  • Visual Assist X

See the Win32/Ramnit family description for more information about this threat.

Analysis by Jireh Sanico


Alerts from your security software may be the only symptom.


Alert level: Severe
First detected by definition: 1.97.1035.0
Latest detected by definition: 1.197.1769.0 and higher
First detected on: Feb 04, 2011
This entry was first published on: Feb 04, 2011
This entry was updated on: Sep 22, 2014

This threat is also detected as:
No known aliases