Virus.VBS.Ramnit.a

by alexander.adamov on May 14th, 2012 in Malware Descriptions.

Platform: Win32
Type: Virus
Size: 176309 bytes
Language: Visual Basic Script

Summary

This virus is designed to install a Trojan on the victim machine without the user's knowledge or consent.

Technical Details

Payload

The malicious script is used when opening an infected page in the browser. The script extracts a file from its body and saves it to the current user's Windows temporary folder with the following name:

%Temp%\svchost.exe

The file is 86016 bytes in size and is a Trojan program.

The virus then launches the file and finishes its work.

Once launched, the Trojan copies the system libraries «ntdll.dll» and «kernel32.dll» to the current user's Windows temporary folder with the following name:

%Temp%\~TM<rnd>.tmp

where <rnd> is a random number.

Once all the required information is received, these files are removed.

To detect the default browser, the Trojan then reads the value of the following registry key:

[HKCR\http\shell\open\command]
"(Default)"

If Google Chrome is set as a default browser, the Trojan launches as a hidden process and injects its code into the address space of its process. If another browser is set as default, the Trojan launches a hidden process called "iexplore.exe".

The code injected by the Trojan searches for all HTML pages available on the user’s PC and infects them by adding a maliciousscript to the end section of those files.

In addition, the Trojan copies its executable file as follows:

%ProgramFiles%\<rnd>\<rnd>.exe

where <rnd> – 8 random letters of the Latin alphabet.

To ensure it starts when the compromised machine is rebooted, the Trojan changes a value of the following registry key:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit" = "%WinDir%\system32\userinit.exe,,%ProgramFiles%\<rnd>\<rnd>.exe"

In addition, the Trojan interacts with the intruder server using the following network address:

66.***.49.83:443

Removal Recommendations

  1. Delete the original virus file (its file name and location depends on the way the Trojan originally penetrated a user’s computer).
  2. Delete files:
  3. %Temp%\svchost.exe
    %ProgramFiles%\<rnd>\<rnd>.exe

  4. Change the registry key value to (How to Work with System Registry):
  5. [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit" = "%WinDir%\system32\userinit.exe,,"

  6. Clean the Temporary Internet Files folder, which contains infected files (How to clean Temporary Internet Files folder).
  7. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).