Malware name: Win32/Ramnit
Detection rate: 41 / 44 (93.2%) - old version, newer versions has lower detection rate
Detected by Malwarebytes: Yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
Symptoms: Lag spike every ~30 seconds, files not working properly.
This malware is considered a cocktail infection.
Ramnit is comprised of many different types of malware.
The first part is a backdoor which connects to the hacker. Using this backdoor, the hacker can install anything on your computer or use it to steal your information.
The second part is a rootkit which allows the hacker to hide the installed malware from the backdoor.
The third part is a file infector which its purpose is to damage as many files as it can in order to keep control of your system.
Because of this, it makes it very hard to remove the infection.
There are many different variations of this malware, I will be testing the variation Ramnit.F.
Once the file has been opened, it creates 2 browser process (your default browser). In my case, it was firefox.
The browsers are used to create the backdoor to connect to the hacker.
After this, it created the folder called C:\Program Files\jFUoTnea(Úñ~Ìjvumlstn.exe
In that folder, there was a hidden file called jvumlstn.exe (used gmer.exe to view the file)
It modifies the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
C:\WINDOWS\system32\userinit.exe,,C:\Program Files\jFUoTnea(Úñ~Ìjvumlstn.exe\jvumlstn.exeblue: original value
red: modified value
The file infector (jvumlstn.exe) injects a malicious code in every .exe .dll .html and .htm files. (the process is hidden)
for the .html and htm, it injects a vbscript which is almost useless because it will be blocked by your browser (assuming your browser is updated)
If you try opening the infected .exe or .dll, it will open the program normally, but it will also open jvumlstn.exe (some program, usually anti-viruses/malware, will protect themselves against this).
This infection also acts like a worm.
It creates an autorun.inf file on every USB drive.
It also places the executable (randomly named) in a folder called Recycle bin on your USB drive.
Once you place the infected USB in another computer, it will automatically open autorun.inf (unless you turn off the feature, its ON by default).
The autorun.inf will execute the virus in the Recycle bin folder.
Other variations will create different files/folders but it uses the same method of infection.
They include, C:\program files\Microsoft\watermark.exe
C:\program files\Microsoft\desktoplayer.exe
C:\program files\blvvcvww\jonimvgn.exe
(i may be missing some)
They all modify the same registry key. (userinit)
Removal:The removal of this malware is quite annoying since it can infect anti-malware programs.
First, what you'll have to do is download an anti-virus program that can cure this type of infection.
I've tested many anti-viruses and the best one so far is Dr.Web Cureit! Free anti-virus. (explained in Extra notes)
Download it here:
http://www.freedrweb.com/cureit/?lng=enBefore you execute dr.web, you should end process to the backdoor / file infector.
To do so, open task manager (ctrl+alt+delete), go in the process tab then end process to all of your browser process.
After you've done this, install/update Dr.Web then preform the full scan.
It should cure the infected files.
Then download malwarebytes anti-malware to remove the rest of the malicious files.
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022%5F4-10804572.htmlIf malwarebytes didn't detect all of the files (the rootkit), we will need to use gmer.exe
download gmer.exe here:
http://www2.gmer.net/download.phpNote: we will only need gmer.exe for certain variations of this virus, if you can see the files in the infected folder using explorer (desktoplayer.exe, Watermark.exe, etc...) then right click, delete then empty your recycle bin.
If you can't see the file, you might have the rootkit variation of this virus (jvumlstn.exe), therefore we will need gmer.exe rootkit detector.
Once downloaded, open it then press on the "> > >" tab, then click on the Files tab
Locate C:\Program files\ "Malicious Folder"\
The file should be in red, simply click it once and click on Delete on the right side.
After you've deleted the file, we will need to delete the modified registry key. (assuming malwarebytes didn't detect it)
Click on start - run - type "regedit" without the quotes
Locate HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Then on the right side, double click on Userinit then change the value to C:\WINDOWS\system32\userinit.exe,
And we're done!
Extra notes:I've tested the removal of this virus with Avast, Kaspersky and Microsoft Security Essentials and a few others. The biggest problem I've noticed is that those anti-viruses can't cure the infected .exe or .dll.
It will only give you the option to delete or quarantine those files.
"those files" can include your games, payed programs, and additional programs on your computer that you may need.
If you delete them, you'll probably need to reinstall them.
Dr.web CureIt can cure the infected files quite easily.
Every time you open a file that has been infected by the file infector, it will create an infected file in the same folder called "FileName"mgr.exe
If this happens, make sure to delete the file with the additional "mgr" at the end of the name.
Other variations changes the end of the file name to srv.exe.
While scanning with your anti-virus/anti-malware to remove this infection, its highly recommended that you do not open any other files because they can be infected.
Lets say you're scanning with your anti-virus, it's almost done and you decide to open a file (that you didn't know it was infected, but it was).
This will recreate the virus in the c:\Program files folder, re-modify the registry key, recreate the backdoor and will continue to infect your files, which is not what you want.
This post was edited by ShadowFiend on Oct 4 2011 02:04pm