Threat behavior
Virus:Win32/Ramnit.R is a detection for a virus that infects Windows executable files and HTML files, and spreads to removable drives. The virus attempts to open a backdoor and wait for instructions.
Installation
When executed, the virus drops a file as "<file_name>mgr.exe" (for example, "mytestmgr.exe"), where <file_name> is the file name of the infected executable. The dropped file is then executed.
Spreads via…
Infects files
Virus:Win32/Ramnit.R drops
Trojan:Win32/Ramnit.gen!A, which then in turn injects a DLL that infects Windows executables and HTML files.
Payload
Allows backdoor access and control
When Virus:Win32/Ramnit.R drops
Trojan:Win32/Ramnit.gen!A, the trojan creates a backdoor by connecting to a remote server. Using this backdoor, a remote attacker can instruct an affected computer to download and execute files.
See the description for Virus:VBS/Ramnit.A for more details on how the malware downloads and executes arbitrary files.
Injects code
The virus creates a default web browser process (which is invisible to users) and injects code to it. The infection and backdoor functionality occurs in the web browser process context, presumably for the purpose of bypassing a firewall.
Analysis by Dan Kurc
Prevention
