W32.Ramnit.B
W32.Ramnit.B is a computer worm that will spread itself by creating a copy on removable USB drives. W32.Ramnit.B also scans local drives for .exe, .dll and .html files. When found, it appends these files with an encrypted payload. The worm will create a back door that will allow distant attacker to carry out malicious actions. It uses rootkit techniques to hide its presence and monitor network traffic of the compromised computer.
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista
Characteristics
W32.Ramnit.B loads by means of removable media devices. When it runs, the worm will create a copy it itself inside the target computer. It may utilize the Autorun function of Windows to execute the worm when accessing the drive or exploit certain weakness on the operating system. Whatever method that materialized to launch the worm, it will create a mutex called INTEL_CEDR_STORE to make sure that only once instance is running.
Then, the worm will create several files under Program Files and User Profile. It will look for presence of removable USB drives and when found, the worm will drop a copy of itself. Accompanying those items is an Autorun.inf file that launches the threat when drive is accessed. Please see Associated Files area for the complete list.
To configure automatic start-up, W32.Ramnit.B will add registry entries. The worm will start on every time Windows starts. A backdoor is essential so that remote attacker can control the infected computer. After opening this transmission protocol, remote attacker may have full access to perform malicious actions on the PC.
- Upload and download files
- Capture screen shots
- Update the worm
- Scan traces of user name and passwords from Internet browser cookies
- Clear the cookies
- The most deadly payload that W32.Ramnit.B can bring to a computer is making it unusable. W32.Ramnit.B can destroy the whole operating system simply by deleting essential files.
Distribution
W32.Ramnit.B spreads through spam email messages and unsecured peer-to-peer connections. Once inside the computer, it attempts to propagate by infecting removable drives like USB Flash Drive, External Hard Drives and Memory Sticks. It may also inject malicious VBS script to .HTML files that operates will fetch more threats when executed.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24C2&SUBSYS_013A1028&REV_01\3&172e68dd&0&E8\Device Parameters\"DetectedLegacyBIOS" = "1"Associated Files and Folders:
%UserProfile%\Start Menu\Programs\Startup\[RANDOM CHARACTERS].exe %UserProfile%\[RANDOM CHARACTERS].log %SystemDrive%\Program Files\[RANDOM CHARACTERS]\[RANDOM CHARACTERS].exe %ProgramFiles%\Microsoft\WaterMark.exe %System%\dmlconf.dat %DriveLetter%\RECYCLER\S-6-8-78-6074043183-3137731366-826674213-1246\MncLksUtf.exe %DriveLetter%\RECYCLER\S-6-8-78-6074043183-3137731366-826674213-1246\olsYndUp.cpl %DriveLetter%\autorun.inf %DriveLetter%\Copy of Shortcut to (1).lnk %DriveLetter%\Copy of Shortcut to (2).lnk %DriveLetter%\Copy of Shortcut to (3).lnk %DriveLetter%\Copy of Shortcut to (4).lnk
How to Remove W32.Ramnit.B
1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. To be able to identify even the most recent variant of W32.Ramnit.B, open your antivirus application and update the virus definition file.
3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 on your keyboard repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Please select Safe Mode with Networking.
- The system will boot Windows loading only necessary drivers and files.
4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable to delete, better place them in quarantine. Once the scan is complete, please proceed with the next step.
Scan with Norton Power Eraser:
Additional virus removal tool provides deep scanning technology to eliminate other threats not detected by a normal virus scan. Use this tool with extra caution.
5. Go to this link and download Norton Power Eraser.
6. Once the download completes, double click on the file NPE.exe to run the program.
7. It will prompt for End User License Agreement, click on Accept to continue.
8. On NPE main window, click on Scan. Then select Exclude Rootkit Scan. Click on Continue to proceed.
9. Virus scanning may take some time. After running the scan, NPE will display the scan result.
Important! If there are any detected threats under Suspicious, remove the check mark. Only threats in Detected category are necessary to remove at this point. Make sure that you mark the Create System Restore Point before proceeding with the fix.
10. Now click on Fix to start removing the threats including W32.Ramnit.B remnants if there are any.
11. When done, the tool will restart the computer. Then after a reboot, it will initialize and display the eliminated threats.
12. You may now close the program.