Trojan:Win32/Ramnit.D is a trojan that modifies files with certain file extensions, injects code into processes and communicates with a remote server to receive instructions from an attacker.
Installation
Trojan:Win32/Ramnit.D may be istalled by other variants of Win32/Ramnit, such as Virus:Win32/Ramnit.AC, and is present as a randomly named file such as the following:
%AppData%\blvvcvww\jonimvgn.exe
%USERPROFILE%\Start Menu\Programs\Startup\jonimvgn.exe
The registry is modified to run the trojan at each Windows start.
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Userinit"
To data: "<system folder>\userinit.exe, %AppData%\blvvcvww\jonimvgn.exe"
under key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Set value: "JonImvgn"
with data: "%AppData%\blvvcvww\jonimvgn.exe"
Payload
Installs other malware
The trojan drops a device driver as the following:
%TEMP%\<random>.sys (for example 'qdlppsca.sys') - detected as Trojan:WinNT/Ramnit.gen!A
Trojan:Win32/Ramnit.gen!A injects malicious code into certain processes including, but not limited to, the following:
- iexplore.exe
- alg.exe
- winlogon.exe
- svchost.exe
- services.exe
- explorer.exe
- msieexec.exe
Infects files
This trojan searches for, and modifies, files with the file extensions ".exe", ".htm" and ".html". The modified files may be detected as Virus:Win32/Ramnit.AC and Virus:VBS/Ramnit.D.
Communicates with a remote server
This trojan connects to one of the following remote servers to receive commands from a remote attacker, such as instructions to download other files:
- carrerfullezz.com
- fssuatmti.com
Analysis by Shawn Wang