W32/Ramnit.a is a virus that is self-replicating. It usually propagates via unsecured network connection and removable USB drives including flash drive, writable CD and external hard disk drives. W32/Ramnit.a also spreads by infecting file on the system that is shared on a network environment.
Alias: Type_Win32, Win32/Zbot.A, W32/Infector.Gen2, Win32/Ramnit.A, Win32.Rmnet,
W32.Infector, W32/Patched-I, PE_RAMNIT.A
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista
When executed, W32/Ramnit.a it will drop a random-name generated file that contains the strings “Mgr.exe” or “Srv.exe.” It also executes the same file that will to infect other executable it may found on the system. This virus can also infect files that have .HTML and .HTM extension.
Once loaded and running, W32/Ramnit.a will create a backdoor and connects to a remote server to allow a remote attacker to gain control on the compromised computer. It waits for other tasks that the remote attacker may perform on the PC.
The virus can inject malicious code into default Internet browser and uses this method to bypass Windows firewall and other security programs.
Some infected machines may display an error if the Trojan’s embedded code is having conflict to other programs. Here is the sample error message.
Virus do self-replicate. Infections are commonly propagated on unsecured computer networks or transmitting the virus to a removable media devices like UDB drives, writable disc, and memory sticks. Viruses can also spread by compromising a shared system files within a network.