W32/Ramnit.a

This page contains detailed analysis on W32/Ramnit.a. To get rid of this Trojan, please follow the removal guide below.

W32/Ramnit.a is a virus that is self-replicating. It usually propagates via unsecured network connection and removable USB drives including flash drive, writable CD and external hard disk drives. W32/Ramnit.a also spreads by infecting file on the system that is shared on a network environment.

Alias: Type_Win32, Win32/Zbot.A, W32/Infector.Gen2, Win32/Ramnit.A, Win32.Rmnet,
W32.Infector, W32/Patched-I, PE_RAMNIT.A

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Windows Vista

Characteristics
When executed, W32/Ramnit.a it will drop a random-name generated file that contains the strings “Mgr.exe” or “Srv.exe.” It also executes the same file that will to infect other executable it may found on the system. This virus can also infect files that have .HTML and .HTM extension.

Once loaded and running, W32/Ramnit.a will create a backdoor and connects to a remote server to allow a remote attacker to gain control on the compromised computer. It waits for other tasks that the remote attacker may perform on the PC.

The virus can inject malicious code into default Internet browser and uses this method to bypass Windows firewall and other security programs.

Some infected machines may display an error if the Trojan’s embedded code is having conflict to other programs. Here is the sample error message.

Error Report

Distribution
Virus do self-replicate. Infections are commonly propagated on unsecured computer networks or transmitting the virus to a removable media devices like UDB drives, writable disc, and memory sticks. Viruses can also spread by compromising a shared system files within a network.

How to Remove W32/Ramnit.a

1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. To be able to identify even the most recent variant of W32/Ramnit.a, open your antivirus application and update the virus definition file.

3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 on your keyboard repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Please select Safe Mode with Networking.
- The system will now boot Windows and loads only necessary drivers and files.

4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable to delete, better place them in quarantine. Once the scan is complete, please proceed with the next step.

Scan with McAfee Stinger:

Stinger is a portable security tool that can detect and remove particular viruses. It utilizes a highly developed scan engine technology that includes process scanning and scan function optimization.

5. Go to McAfee Labs Stinger web page and download the tool. Save it to your desktop.
6. Once the download completes, double click on the file to run the program.
7. The Stinger main program will open.
8. Default directory to scan is the system drive (C:\). You may add additional drives to scan by clicking on Add button.
9. Click on Scan Now button to begin scanning assigned drives.
10. Stinger will now scan and repair/delete all infected files.
11. When done, you may now close McAfee stinger and restart Windows in normal mode.

Alternative Removal Method for W32/Ramnit.a

Option 1 : Use Windows System Restore to return Windows to previous state

If W32/Ramnit.a enters the computer, there is a big chance that Windows files, registry entries and other essential components are also infected. System Restore can reinstate clean system files by restoring the configuration to an earlier date. The method also replaces compromised files with a clean version. If you have a saved restore point before W32/Ramnit.a infiltrates the PC, we highly encourage you to execute this procedure if none of the above works. You may proceed with Windows System Restore, click here to see the full procedure.