Virus:Win32/Ramnit.N is a virus that spreads by infecting files with certain extensions and also by dropping copies of itself in all removable drives. It injects code into certain processes, as well as connecting to a remote server to receive certain instructions.
Installation
When run, Virus:Win32/Ramnit.N drops itself in the current folder as the following:
- mgr.exe
- <startup folder>\<random file name>.exe (for example, "<startup folder>\pexkkrjsn.exe")
- %ProgramFiles%\<random folder name>\<random file name>.exe (for example, "%ProgramFiles%\hxgxhjmw\pexkrjsn.exe")
Note: <startup folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Startup folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu\Programs\Startup'. For Windows Vista and 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'.
It modifies the system registry so that it automatically runs when a user logs on:
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Userinit"
With data: "<system folder>\userinit.exe,,%ProgramFiles%\<random folder name>\<random file name>"
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Spreads via...
Removable drives
Virus:Win32/Ramnit.N spreads by dropping a randomly-named copy of itself in all removable drives, along with a file named "autorun.inf", which is designed to automatically run the malware copy when the drive is accessed and Autorun is enabled.
File infection
Virus:Win32/Ramnit.N searches for and infects files in the computer with the following prefixes:
Payload
Injects code
Virus:Win32/Ramnit.N inject malicious code into certain processes including, but not limited to, the following:
- iexplore.exe
- winlogon.exe
- svchost.exe
- services.exe
- lsass.exe
Connects to a remote server
Virus:Win32/Ramnit.N connects to a remote server to download and receive instructions. One particular sample of Virus:Win32/Ramnit.N is known to connect to the following servers:
- ytioghfdghvcfgbgvdf.com
- awrcaverybrstuktdybstr.com
Analysis by Tim Liu