Win32/RAMNIT.A Anyone?

16 views
Skip to first unread message

David Kaye

unread,
Jul 27, 2010, 12:51:56 AM7/27/10
to
Sorry about the crosspost to ba.internet, but I know there are malware experts
out there.

Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm having a devil of a
time removing it. The only tool the detects it consistently is MS Security
Essentials, and MSSE keeps counting it and "disinfecting" it.

I'm not sure if it's a virus or a worm. MSSE says it's a virus, but I can't
figure out what's launching it.

I have eliminated one rootkit and subsequent scans show no more rootkits.
This thing has dropped startup payloads into the StartUp folder, into the Run
keys, into Prefetch, and it masquerades as everything from random 4-letter
clusters to names like "Microsoft Suite", etc.

It also captures the date when Windows was first installed, so I can't
reliably search for the thing via date, either.

Whenever MSSE detects a new round of infections (15, 78, all kinds of counts)
the infections are in everything from drivers to executables in all kinds of
directories.

At the moment I'm running the computer in safe mode with no Internet and MSSE
is not detecting any more Ramnit. I've scanned it 3 times. But as soon as I
go back into regular mode and get an Internet connection back up it'll start
infecting again.

Oh, and I've reset the Winsock stack twice just in case there's a little
wedgie in there. Still comes back.

Any help would be most appreciated. You can reach me directly by email. The
address is valid.

Thanks.

Roy

unread,
Jul 27, 2010, 12:58:23 AM7/27/10
to David Kaye

A friend of mine that does virus removal as part of his business swears
by MalwareBytes


http://www.malwarebytes.org/mbam.php

David Kaye

unread,
Jul 27, 2010, 1:27:55 AM7/27/10
to
Roy <aa...@aa4re.ampr.org> wrote:

>A friend of mine that does virus removal as part of his business swears
>by MalwareBytes

I do this professionally as well. I asked *specifically* for comments from
people who have *experience* with this threat. I used MalwareBytes
Antimalware several times including the complete disk scan for 2 1/2 hours.
It did not detect anything.

Again, I'm interested in hearing only from people who have *experience* with
Win32.Ramnit.A

Thank you.

David H. Lipman

unread,
Jul 27, 2010, 6:07:52 AM7/27/10
to
From: "David Kaye" <sfdavi...@yahoo.com>

| Thanks.


What is the fully qualified name and path to the file deemed infected with RAMNIT.A and
did you capture a copy of this malware ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


David Kaye

unread,
Jul 27, 2010, 6:37:03 AM7/27/10
to
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote:

>What is the fully qualified name and path to the file deemed infected with
> RAMNIT.A and
>did you capture a copy of this malware ?

There are a bunch of folders named such things as FUEM and AVAX, with exes
under them with randomly generated 4 and 5 character letters. These are under
the user's temp folder. They do not occur when using the admin account.

Additionally, there is a folder under Program Files with the name Microsoft,
and the exe is called Desktoplayer.exe. This exe is launched via the same
registry entry that launches UserInit.

Reducing the string so that it launches only UserInit and removing the files
mentioned here under safe mode won't stop them from being re-created the next
time I boot into regular mode.

I removed MSSE and installed Avast instead because MSSE kept noting the
infections, dealt with them, and then more kept appearing seconds later.
Under Avast, a 2-hour scan revealed 4300 infected files. I couldn't move them
all to quarantine so I had to erase some. Unfortunately, this affected some
critical app files (not Windows OS files, though). So, Firefox crashes, IE
wants the Office install disk, Picassa hangs, etc.

Also, the Explorer search feature has the doggie but no text boxes for
searching, and menu items are missing.

Thus, it looks like the OS is hosed, so I'll have to reinstall. Only trouble
is that this customer has a boatload of Word docs, spreadsheets, jpgs, mp3s
and whatnot. I'm hoping that the docs and xls's aren't infected with malware
macros.

This problem was first talked about in January apparently at Trend, but I
don't see much else in reference to it until 3 days ago, and there are a bunch
of forums where people are getting this infection. So, it looks like we're
right at the cusp of a major outbreak.

It's annoying as hell. In over 8 years of doing malware repair this is in the
top 2 for awfulness.

I think the customer got the infection via maybe Limewire, a torrent or
the Bang Bros porn website (or maybe from a link to it) because the logs
indicate similar datestamps to the first date stamps on the malware.

Oh, and the first thing I did was manually roll back the registry using a CD
boot disk. There were about 3 dozen entries. I rolled it back about halfway
(about 15 restore points) earlier, which took it to July 13. So, the
infection must have been there prior to that. When I went back to manually
roll back further, I noticed that the malware had deleted every restore point
(snapshot) except the latest 3. I ran an undelete CD on it and couldn't find
where the other restore points went, so they were probably overwritten.

I'm going to bed.

Virus Guy

unread,
Jul 27, 2010, 8:06:23 AM7/27/10
to
David Kaye wrote:

> Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm having a
> devil of a time removing it.

If at all physically possible, the standard proceedure for insuring that
any hard drive is free of malware (trojans, viruses, rootkits, spyware,
etc) is to remove the drive and connect it as a slave to a known/good
computer that has competent anti-malware software on it.

The suspect drive can then be scanned in a way that insures that any
malware on it is not operational and therefore not actively thwarting
the scanning and file-quarantine processes in any way.

jcdill

unread,
Jul 27, 2010, 11:53:48 AM7/27/10
to
David Kaye wrote:
> Sorry about the crosspost to ba.internet, but I know there are malware experts
> out there.
>
> Does anybody have EXPERIENCE with Win32/RAMNIT.A ?

No experience, but if I were in your shoes I'd start here:

<http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_26343474.html>

jc

~BD~

unread,
Jul 27, 2010, 1:09:22 PM7/27/10
to

I saw no answer to the 'Question' - but I did copy and paste the HJT log
into www.hijackthis.de - there were six questionable entries highlighted.

David Kaye

unread,
Jul 27, 2010, 4:27:38 PM7/27/10
to
jcdill <jcdill...@gmail.com> wrote:

>No experience, but if I were in your shoes I'd start here:
>
><http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_26343474.html>

Been there, done that. Thanks anyway. I'm reinstalling Windows and the
programs this afternoon. I hate to do that. Oh well.

David Kaye

unread,
Jul 27, 2010, 4:33:46 PM7/27/10
to
Virus Guy <Vi...@Guy.com> wrote:

>If at all physically possible, the standard proceedure for insuring that
>any hard drive is free of malware (trojans, viruses, rootkits, spyware,
>etc) is to remove the drive and connect it as a slave to a known/good
>computer that has competent anti-malware software on it.

Already did that. Jeez, you guys are no help whatsoever. Thanks for nothing,
friends. The only responses I've gotten are about things I've already done.
As stated here earlier, I am a professional who has been doing this stuff for
8+ years. This is why I've asked specifically for someone who has experience
with THIS PARTICULAR infestation.

David H. Lipman

unread,
Jul 27, 2010, 4:35:40 PM7/27/10
to
From: "jcdill" <jcdill...@gmail.com>

| <http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_26343474.html>

The problem is that may not be the same based upon the !HTML suffix which infers HTML code
and possibly exploitation rather than the actual infection.

David H. Lipman

unread,
Jul 27, 2010, 4:43:07 PM7/27/10
to
From: "David Kaye" <sfdavi...@yahoo.com>

| Virus Guy <Vi...@Guy.com> wrote:


Then Dave, state what you have done when you make an intial post!

David Kaye

unread,
Jul 27, 2010, 5:07:55 PM7/27/10
to
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote:

>
>Then Dave, state what you have done when you make an intial post!

I've already stated most of what I've done in two previous posts. I've been
posting in these newsgroups for some time, so people are well aware that I'm
not a newbie to this stuff.

I'm not looking for speculation, I'm looking for real experience with this
specific infection, since it's very different from anything I've encountered
before.

I'm surprised that nobody here has seen it before. Does this mean that I'm
the only one who sees these kinds of things? If so, does that mean that most
of the people on here have no real-world experience with malware? That's what
the situation appears to be so far.

Sure you, David, must have experienced Win32/Ramnit.A in the 6 months since it
launched. Or instead of being behind the curve on this infection, I'm
actually far ahead of the curve?

Steve Pope

unread,
Jul 27, 2010, 5:20:53 PM7/27/10
to
David Kaye <sfdavi...@yahoo.com> wrote:

>I'm not looking for speculation, I'm looking for real experience with this
>specific infection, since it's very different from anything I've encountered
>before.

>I'm surprised that nobody here has seen it before. Does this mean that I'm
>the only one who sees these kinds of things? If so, does that mean that most
>of the people on here have no real-world experience with malware? That's what
>the situation appears to be so far.
>
>Sure you, David, must have experienced Win32/Ramnit.A in the 6 months since it
>launched.

It may be that MSE calls it "Ramnit.A", but other products have
different names for it which is why nobody has seen it.

Steve

~BD~

unread,
Jul 27, 2010, 6:01:14 PM7/27/10
to

David H. Lipman

unread,
Jul 27, 2010, 7:02:39 PM7/27/10
to
From: "David Kaye" <sfdavi...@yahoo.com>


I have never heard of the "Ramnit" trojan. But, there are 100's of thousands out there
and it isn't a major family/player.

I was actually hoping you may have had a sample you could have uploaded to http://www.uploadmalware.com/

BTW: I re-read this thread. Nowhere did I see anything about the removal of the hard
disk and scanning it with a surrogate platform as suggested by Virus Guy. Whiles this can
have drawbacks, it does have the propensity of removing protected malware.

FromTheRafters

unread,
Jul 27, 2010, 8:02:51 PM7/27/10
to
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:i2nfo...@news4.newsguy.com...

> From: "jcdill" <jcdill...@gmail.com>
>
> | David Kaye wrote:
>>> Sorry about the crosspost to ba.internet, but I know there are
>>> malware experts
>>> out there.
>
>>> Does anybody have EXPERIENCE with Win32/RAMNIT.A ?
>
> | No experience, but if I were in your shoes I'd start here:
>
> |
> <http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_26343474.html>
>
> The problem is that may not be the same based upon the !HTML suffix
> which infers HTML code
> and possibly exploitation rather than the actual infection.

It's a shame he couldn't provide you with a sample. His description of
symptoms doesn't exactly match up with what this malware is/does. This
could be new malware worm dropping ramnit.a as it finds new systems.


Steve Pope

unread,
Jul 27, 2010, 8:39:25 PM7/27/10
to
~BD~ <BoaterDave~no.spam~@hotmail.co.uk> wrote:

>Steve Pope wrote:

>> It may be that MSE calls it "Ramnit.A", but other products have
>> different names for it which is why nobody has seen it.

>You are right, Steve!
>
>http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_from=rss

That could help the OP. Looks like the virus is a month or so old.
It may not be the same morph that Sophos can clean, but it's a start.

Steve

Ant

unread,
Jul 27, 2010, 8:44:30 PM7/27/10
to
"David H. Lipman" wrote:

> I have never heard of the "Ramnit" trojan. But, there are 100's of
> thousands out there and it isn't a major family/player.

Symantec wrote something about it in Jan this year. Apparently, it's a
worm that spreads through removable drives and infects executables (so
it's also a virus). Copies itself to the recycle bin and creates
autorun.inf files on all drives.

http://www.symantec.com/security_response/writeup.jsp?docid=2010-011922-2056-99

The Ramnit!html and Ramnit!inf designations were for html and inf
files infected by Ramnit.

What D. Kaye has is possibly a new variant.

> I was actually hoping you may have had a sample you could have
> uploaded to http://www.uploadmalware.com/

Yes, if a sample was available I could probably discover exactly what
it did (given a little time). Anyway, since so many infected files
were reported in an earlier post it's just as well he's doing a wipe
and reinstall.


David H. Lipman

unread,
Jul 27, 2010, 9:07:23 PM7/27/10
to
From: "Ant" <n...@home.today>

| "David H. Lipman" wrote:

| http://www.symantec.com/security_response/writeup.jsp?docid=2010-011922-2056-99


Roger that - and thanx Ant.

David Kaye

unread,
Jul 27, 2010, 9:08:29 PM7/27/10
to
"FromTheRafters" <err...@nomail.afraid.org> wrote:

>It's a shame he couldn't provide you with a sample. His description of
>symptoms doesn't exactly match up with what this malware is/does. This
>could be new malware worm dropping ramnit.a as it finds new systems.

What kind of sample? A sample of the malware? I'm loathe to provide that; I
don't want to be responsible for infecting any computers. I've already given
some filenames and directories.

But regardless of what names I provide, there is still something being
launched that I'm unaware of that is rebuilding the files I see. As
previously stated, I've removed the HD, scanned it for rootkits and malware
and reinstalled it and the stuff comes back.

Well, folks, thanks anyway. I'm just going to reinstall Windows, something I
seldom have to do. It's got me beat and I can't spend any more time on this
issue. I'm backed up in work again.

David Kaye

unread,
Jul 27, 2010, 9:30:29 PM7/27/10
to
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote:

>I have never heard of the "Ramnit" trojan. But, there are 100's of thousands
> out there
>and it isn't a major family/player.

I wouldn't call it a trojan at this point because I don't know that it was
masquerading as anything else. It never showed a user interface. The
symptoms were hosed Internet connections, redirects, and excessive HD access.

It is either a virus or a worm. I can't figure out when it was originally
downloaded because some executables took on the date/time the OS was
originally installed, but I suspect it was concurrent with a Limewire or a
torrent connection of some kind, judging by the log files.

David Kaye

unread,
Jul 27, 2010, 9:33:38 PM7/27/10
to
"Ant" <n...@home.today> wrote:

>Symantec wrote something about it in Jan this year. Apparently, it's a
>worm that spreads through removable drives and infects executables (so
>it's also a virus). Copies itself to the recycle bin and creates
>autorun.inf files on all drives.

That's what they said in January, but this didn't act that way. I tested with
a stick and it didn't even see it. It also appears to be looking for exe and
dll files and attaches itself to them. MSSE apparently was able to remove the
attachments, but Avast couldn't. Those were the only two anti-malware
programs that even saw this.

>Yes, if a sample was available I could probably discover exactly what
>it did (given a little time). Anyway, since so many infected files
>were reported in an earlier post it's just as well he's doing a wipe
>and reinstall.

Unfortunately that's where I'm going to have to go, or at least reinstall the
OS.

David H. Lipman

unread,
Jul 27, 2010, 9:39:42 PM7/27/10
to
From: "David Kaye" <sfdavi...@yahoo.com>

| "FromTheRafters" <err...@nomail.afraid.org> wrote:


Providing a sample of malware to http://www.uploadmalware.com/ will *NOT* cause more
computers to be infected.
On the contrary, people who have access to the files are experienced at handling malware.
The culmination of all submissions get distributed to the listed anti malware companies.

Therefore, sample submission to UploadMalware leads to greater recognition of submitted
samples.

Vendor list:
http://www.uploadmalware.com/vendors.php

russg

unread,
Jul 27, 2010, 10:12:32 PM7/27/10
to
snip stuff about experienced posters only.

I come here to learn, and there are some experts here. The OP
considers himself an expert and only wants
talk to experts. I would say his final approach of wiping and re-
installing the OS (which he didn't mention),
but first trying to save .docs, mp3 and other important files, is the
only solution. I learned that RAMNIT.A
is a PE infector, infects other known files, like IE. Here's some
info at sophos.com:

http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_from=rss

The OP knows the name of the malware, so he must have submitted a
sample somewhere.

David H. Lipman

unread,
Jul 27, 2010, 10:21:35 PM7/27/10
to
From: "russg" <russ...@sbcglobal.net>

| http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_from=
| rss

From Dave's first post...


"Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm having a devil of a
time removing it. The only tool the detects it consistently is MS Security
Essentials, and MSSE keeps counting it and "disinfecting" it."

He didn't submit a sample somewhere, MSE scanned the system, detected it
(Win32/RAMNIT.A ), but MSE failed to full remove and clean the system of it. Dave also
indicated he tried Avast to no avail.

FromTheRafters

unread,
Jul 27, 2010, 10:38:56 PM7/27/10
to
"David Kaye" <sfdavi...@yahoo.com> wrote in message
news:i2nvud$mfo$4...@news.eternal-september.org...

> "FromTheRafters" <err...@nomail.afraid.org> wrote:
>
>>It's a shame he couldn't provide you with a sample. His description of
>>symptoms doesn't exactly match up with what this malware is/does. This
>>could be new malware worm dropping ramnit.a as it finds new systems.
>
> What kind of sample? A sample of the malware? I'm loathe to provide
> that; I
> don't want to be responsible for infecting any computers. I've
> already given
> some filenames and directories.

Yes, it's clear you have some nasty malware running. It looks like lots
of it goes undetected except the noted ramnit.a.

> But regardless of what names I provide, there is still something being
> launched that I'm unaware of that is rebuilding the files I see.

If I understood the sources I've read, this malware modifies executable
files with the effect of making them "droppers". It could be a new worm
has now adopted that function and you are seeing detections of the
modified files but not the program that's modifying them.

> As
> previously stated, I've removed the HD, scanned it for rootkits and
> malware
> and reinstalled it and the stuff comes back.
>
> Well, folks, thanks anyway. I'm just going to reinstall Windows,
> something I
> seldom have to do. It's got me beat and I can't spend any more time
> on this
> issue. I'm backed up in work again.

You were probably doomed from the get-go to have to flatten and rebuild.
Too many unknowns.


TBerk

unread,
Jul 27, 2010, 10:55:56 PM7/27/10
to

David,

READ & RUN ME FIRST. Malware Removal Guide
http://forums.majorgeeks.com/showthread.php?t=35407

Haven't yet found the beastie this procedure wouldn't clean w/o
reformatting a drive.

If I have time, I go though with it. if It's more expedient to wipe
the drive I just harvest data, and reinstall the OS. But I prefer the
'thrill of the hunt' so to speak.


TBerk

Buffalo

unread,
Jul 27, 2010, 11:09:55 PM7/27/10
to

David Kaye wrote:
> Roy <aa...@aa4re.ampr.org> wrote:
>
>> A friend of mine that does virus removal as part of his business
>> swears by MalwareBytes
>
> I do this professionally as well. I asked *specifically* for
> comments from people who have *experience* with this threat. I used
> MalwareBytes Antimalware several times including the complete disk
> scan for 2 1/2 hours. It did not detect anything.
>
> Again, I'm interested in hearing only from people who have
> *experience* with Win32.Ramnit.A
>
> Thank you.

Well, have you tried PC Butts' Remove-it software?

Whee Haw!!!
Buffalo


RJK

unread,
Jul 28, 2010, 2:17:40 AM7/28/10
to
 
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:i2o47...@news2.newsguy.com...
Having cast my eye through this post, I think I would have given PrevX a go :-)
 ...I think (seeing as Sophos is armed against it), I'd try Sophos CLS from Bart PE cd :-)
regards, Richard


John Slade

unread,
Jul 28, 2010, 3:16:52 AM7/28/10
to
On 7/26/2010 9:51 PM, David Kaye wrote:
> Sorry about the crosspost to ba.internet, but I know there are malware experts
> out there.
>
> Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm having a devil of a
> time removing it. The only tool the detects it consistently is MS Security
> Essentials, and MSSE keeps counting it and "disinfecting" it.
>
> I'm not sure if it's a virus or a worm. MSSE says it's a virus, but I can't
> figure out what's launching it.
>
> I have eliminated one rootkit and subsequent scans show no more rootkits.
> This thing has dropped startup payloads into the StartUp folder, into the Run
> keys, into Prefetch, and it masquerades as everything from random 4-letter
> clusters to names like "Microsoft Suite", etc.
>
> It also captures the date when Windows was first installed, so I can't
> reliably search for the thing via date, either.
>
> Whenever MSSE detects a new round of infections (15, 78, all kinds of counts)
> the infections are in everything from drivers to executables in all kinds of
> directories.
>
> At the moment I'm running the computer in safe mode with no Internet and MSSE
> is not detecting any more Ramnit. I've scanned it 3 times. But as soon as I
> go back into regular mode and get an Internet connection back up it'll start
> infecting again.
>
> Oh, and I've reset the Winsock stack twice just in case there's a little
> wedgie in there. Still comes back.
>
> Any help would be most appreciated. You can reach me directly by email. The
> address is valid.
>
> Thanks.
>

You may want to try turning off "system restore" in
"system properties". Then reboot. You may also want to make
"system volume information" accessible to your malware scanner.
Then do a scan of that folder. The default setting is "read
only" and "hidden" so if it can be scanned the malware won't be
removed. The malware can reboot that last restore point over and
over and reinfecting your system over and over. A Linux based
scanner can be a way around the permissions but it's probably
better to do the scans within Windows.

John

Virus Guy

unread,
Jul 28, 2010, 8:45:11 AM7/28/10
to
"David H. Lipman" wrote:

> BTW: I re-read this thread. Nowhere did I see anything about the
> removal of the hard disk and scanning it with a surrogate platform
> as suggested by Virus Guy. Whiles this can have drawbacks, it does
> have the propensity of removing protected malware.

Perhaps one day, someone will write some Anti-malware software designed
to properly scan the registry and MBR and determine an auto-run list for
attached slaved drives.

David H. Lipman

unread,
Jul 28, 2010, 7:18:24 PM7/28/10
to

John Slade

unread,
Apr 26, 2011, 9:16:40 AM4/26/11
to
To: alt.comp.virus,alt.comp.a
On 7/27/2010 11:17 PM, RJK wrote:
>
>
> "David H. Lipman" <DLipman~nospam~@Verizon.Net
> <mailto:DLipman~nospam~@Verizon.Net>> wrote in message
> news:i2o47...@news2.newsguy.com...
> From: "russg" <russ...@sbcglobal.net <mailto:russ...@sbcglobal.net>>

It seems the information I found on this worm is that it
probably hides in the "system volume information" folder that is
"read only" and "hidden" by default. The worm just keeps getting
reinstalled and can't be cleaned unless the permissions are
changed for that folder. The information on this site links to
instructions for cleaning RAMNIT.A.

http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=81059

This links to information on how to disable "system
restore" in order to remove the infection. It may be possible to
use some offline scanner like BitDefender to remove the worm but
it's better done in Windows.

John

---
* Synchronet * The Whitehouse BBS --- whitehouse.hulds.com --- check it out free usenet!
--- Synchronet 3.15a-Win32 NewsLink 1.92
Time Warp of the Future BBS - telnet://time.synchro.net:24

David Kaye

unread,
Jul 29, 2010, 3:46:19 AM7/29/10
to
TBerk <bayar...@yahoo.com> wrote:

>Haven't yet found the beastie this procedure wouldn't clean w/o
>reformatting a drive.

I didn't have to reformat; I reinstalled using the file overwrite method (the
one that doesn't destroy the registry) after running several rootkit removers
and being certain there were no rootkits.

Ramnit destroyed over 4000 executables (exe and dll), so it was inevitable
that I'd have to reinstall the OS. Project completed. The computer runs like
new.


>If I have time, I go though with it. if It's more expedient to wipe
>the drive I just harvest data, and reinstall the OS. But I prefer the
>'thrill of the hunt' so to speak.

When one does this professionally it's not the thrill of the hunt but keeping
the client as happy as possible in the least amount of time. This means,
disturbing as little of their experience as possible -- keeping their
wallpaper and all their other user interface experiences as close as to what
they were before infection.

In over 8 years doing this fulltime I've only had to reformat maybe 4 times.
I've had to reinstall the OS about 10 times. But this one really caught me by
surprise.

David H. Lipman

unread,
Jul 29, 2010, 6:24:17 AM7/29/10
to
From: "John Slade" <hhit...@pacbell.net>

>> |
>>
>> http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_from=
>> | rss

>> regards, Richard

| http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=81059

Sorry, you are mis-interpreting the information.

Malware doesn't "hide" in the "system volume information" folder. That is where the
System Resore cache resides. What they are talking about is removing restore points such
that you won't re-infect the PC if you restore the PC from a restore point that had made
in an infected condition.

Howver, I have learned that ist is NOT a good idea to dump the System Restore cache while
cleaning a PC. It is better to have an infected, working, PC than to have a a PC that may
be unstable and you can't restore the PC to a stable but infected condition. Once the PC
is thouroughly cleaned and verified and is stable then you you can dump the System Restore
cache.

jcdill

unread,
Jul 29, 2010, 1:07:39 PM7/29/10
to
David H. Lipman wrote:
> From: "jcdill" <jcdill...@gmail.com>

>
> | David Kaye wrote:
>>> Sorry about the crosspost to ba.internet, but I know there are malware experts
>>> out there.
>
>>> Does anybody have EXPERIENCE with Win32/RAMNIT.A ?
>
> | No experience, but if I were in your shoes I'd start here:
>
> | <http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_26343474.html>
>
> The problem is that may not be the same based upon the !HTML suffix which infers HTML code
> and possibly exploitation rather than the actual infection.

My point was to use the experts-exchange site to get help if the answers
already posted don't solve the problem. They are amazingly helpful with
providing assistance (for free) to people who follow the recommended
steps (such as running hijackthis and posting the logs etc.). I've
found the answer to solving several pesky virus/worm problems simply by
searching the experts-exchange site without having to post my own query,
but if I couldn't find the answer in the archives then I wouldn't
hesitate to post.

jc

John Slade

unread,
Jul 29, 2010, 2:07:28 PM7/29/10
to

Some malware specifically uses the "system volume
information" folder to reinfect the computer. It will infect
multiple restore points even those that were there before the
particular worm was introduced. I've had some experience with these.

>
> Howver, I have learned that ist is NOT a good idea to dump the System Restore cache while
> cleaning a PC. It is better to have an infected, working, PC than to have a a PC that may
> be unstable and you can't restore the PC to a stable but infected condition. Once the PC
> is thouroughly cleaned and verified and is stable then you you can dump the System Restore
> cache.

This is one reason us PROFESSIONALS do a complete drive
backup before we remove the infection in this way. That way if
something goes wrong, you can always go back to the beginning.

It's possible to allow writing to the folder in question.
I have cleaned a few computers in this way and I usually find
that the restore points are not worth saving. I've had
absolutely no systems lost due to cleaning out the system
restore points. Never lost one and never needed to use the
backup on these types of infections. I find it better to have a
professional do the malware removal than someone who risks
loosing everything because they're afraid to remove the restore
caches.

John


David H. Lipman

unread,
Jul 29, 2010, 4:40:47 PM7/29/10
to
From: "John Slade" <hhit...@pacbell.net>

>>>> |

>>>> http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_
>>>> from=
>>>> | rss

>>>> regards, Richard

>> | http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=81059

| John


You said...


"Some malware specifically uses the "system volume information" folder to reinfect the
computer."

Since you also stated "...us PROFESSIONALS...".
What is that malware spaecifically. You should know it or it should be in your notes.
I'd like to know what it is you are referring to.

David H. Lipman

unread,
Jul 29, 2010, 4:42:50 PM7/29/10
to
From: "jcdill" <jcdill...@gmail.com>

>> | <http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_26343474.html>

Ant defined the !HTML suffix (and !INF) as being modified by the Ramnit.

FromTheRafters

unread,
Jul 29, 2010, 6:56:34 PM7/29/10
to
"John Slade" <hhit...@pacbell.net> wrote in message
news:tE74o.32165$OU6....@newsfe20.iad...

[...]

> It seems the information I found on this worm is that it
> probably hides in the "system volume information" folder that is "read
> only" and "hidden" by default.

Funny, I was led to believe it used the recycle bin.

> The worm just keeps getting reinstalled and can't
> be cleaned unless the permissions are changed
> for that folder. The information on this site links to instructions
> for cleaning RAMNIT.A.

How is it, that a folder remains inaccesible to a scanner?

> http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=81059
>
> This links to information on how to disable "system restore" in
> order to remove the infection. It may be possible to use some offline
> scanner like BitDefender to remove the worm but it's better done in
> Windows.

It is better to clean the malware off the computer, then purge the
system restore thingy. The malware can't act against you actively, when
it is not running. Use drive imaging software, system restore be-damned.


FromTheRafters

unread,
Jul 29, 2010, 7:12:59 PM7/29/10
to
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:i2sot...@news4.newsguy.com...

Seems sort of like the old DAM suffix - but instead of being damaged,
these files were modified to act as droppers. Not actual viral
infection, but perhaps infection in the furtherance of the worm. Another
write-up I saw mentioned infection of portable executable files, again
not with copies of itself like a virus, but rather to add dropper
functionality.

So, I'm guessing it could be polymorphic in the way it infects PEs and
the symptoms David Kaye experienced was because some were being missed
by the current definitions supplied for the AV tools he used.

Either that, or there is something *new* about the one he had.


David H. Lipman

unread,
Jul 29, 2010, 7:29:27 PM7/29/10
to
From: "FromTheRafters" <err...@nomail.afraid.org>

>>>> |
>>>> <http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_26343474.html>


Maybe it is like the Virut in that it modified HTML files in a way that when viewed it
could cause you to download and re-infect the computer.

David H. Lipman

unread,
Jul 29, 2010, 7:33:57 PM7/29/10
to
From: "David Kaye" <sfdavi...@yahoo.com>

| "FromTheRafters" <err...@nomail.afraid.org> wrote:

>>It's a shame he couldn't provide you with a sample. His description of
>>symptoms doesn't exactly match up with what this malware is/does. This
>>could be new malware worm dropping ramnit.a as it finds new systems.

| What kind of sample? A sample of the malware? I'm loathe to provide that; I
| don't want to be responsible for infecting any computers. I've already given
| some filenames and directories.

< snip >

Samples that I "did" receive from someone who remain anonymous.

http://www.virustotal.com/analisis/ded3dae323a909c4752fa135de72cdc00ce0da3d1a5fd715fe536105a4da8cac-1280356012

http://www.virustotal.com/analisis/08b348341fb2a24d0ddf765afe7fedb171cdd7ab9dcfa5aab5dc6bfa3b2ce797-1280350307

FromTheRafters

unread,
Jul 29, 2010, 7:52:17 PM7/29/10
to
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:i2t4d...@news6.newsguy.com...

That's what I gathered. Interesting it not being viral with respect to
exe infection though (if that is indeed the case).


John Slade

unread,
Apr 26, 2011, 9:16:41 AM4/26/11
to
To: alt.comp.virus,alt.comp.a

Yes that's exactly what I said. One think I've noticed
from 25 years of seeing malware is that the writers of malware
will use anything and everything to infect a system. They will
make it hard as possible to remove them too.

>
> Since you also stated "...us PROFESSIONALS...".

The professional thing to do is make a backup so you can
do what needs to be done to repair the system. I don't usually
hear other professionals say afraid to do something as simple as
removing restore points to repair a system.

> What is that malware spaecifically. You should know it or it should be in your notes.
>

I don't remember the exact name of the worms and trojans
as it was over a year ago when I removed the last one. There are
so many variants of existing malware and new malware out there.
As for my notes, I don't need notes on specific malware I just
do what it takes to remove whatever it is. My notes deal mostly
with behavior of the malware and what it takes to remove it.
However I still have the scanner logs I did then and I'll look
through them. You should also know that scanners can find
malware and not give it a name because it detects signatures and
behavior. The particular malware may not be in the database as yet.

You should know there is malware out there that will
trash the registry and it's backup. It will require some sort of
reinstall to get the system back working. I found it very rare
that I need to do a full reformat and reinstall because of
malware. Some malware will also corrupt system files and when
you remove them with scanners, it will make the installation
unbootable. This is yet another reason professionals will make a
backup if possible before removing infections.

I know there are a lot of fly-by-night computer repair
people who are just there to do a quick fix and get paid, I find
myself cleaning up after a lot of them.

Ant

unread,
Jul 29, 2010, 9:54:01 PM7/29/10
to
"David H. Lipman" wrote:

Progress report:

Infected executables contain an extra section ".rmnet", which is about
48kb in size and contains the new entry point. When run, they drop a
45kb UPX'd exe in the current directory as [infected filename]Srv.exe,
run it and jump to the original entry point of the infected file which
can then run as normal.

The mutex "KyUffThOkYwRRtgPP" is used to ensure only one copy of the
infection is active at a time.

The dropped file creates a "Microsoft" subdirectory in the first
directory successfully written to, resolved from one of these
environment variables or API calls and in this order:

"%ProgramFiles%"
"%CommonProgramFiles%"
"%HOMEDRIVE%%HOMEPATH%"
"%APPDATA%"
GetSystemDirectoryA
GetWindowsDirectoryA

It then copies itself to that location as DesktopLayer.exe and runs
that. DesktopLayer then injects an embedded DLL somewhere using an odd
mechanism which I've yet to investigate.

The DLL creates multiple threads to keep modifying the Winlogon
registry key, contact the site fget-career.com, create autorun.inf
files, do something in the recycle bin and infect executables and html
documents. Other files likely to be created in directories of infected
files are dmlconf.dat and complete.dat.

I've yet to check the infection thread for the method of selecting
files for infection. Html files have VBScript appended to them with
the infector binary encoded as a hex string. When the document is
opened in a browser the binary is written to the user's temp directory
and run using WScript.Shell.

This is a variant of the one in the Symantec report and may or may not
be the same as D. Kaye's.


Ant

unread,
Jul 29, 2010, 10:01:50 PM7/29/10
to
"Ant" wrote:

> Html files have VBScript appended to them with
> the infector binary encoded as a hex string. When the document is
> opened in a browser the binary is written to the user's temp directory
> and run using WScript.Shell.

The binary is saved as [user]\temp\svchost.exe


John Slade

unread,
Jul 29, 2010, 10:08:46 PM7/29/10
to
On 7/29/2010 3:56 PM, FromTheRafters wrote:
> "John Slade"<hhit...@pacbell.net> wrote in message
> news:tE74o.32165$OU6....@newsfe20.iad...
>
> [...]
>
>> It seems the information I found on this worm is that it
>> probably hides in the "system volume information" folder that is "read
>> only" and "hidden" by default.
>
> Funny, I was led to believe it used the recycle bin.

It's entirely possible as they probably have 30 different
variants of the same worm.

>
>> The worm just keeps getting reinstalled and can't
>> be cleaned unless the permissions are changed
>> for that folder. The information on this site links to instructions
>> for cleaning RAMNIT.A.
>
> How is it, that a folder remains inaccesible to a scanner?

It won't allow the removal of the malware because the
folder is read only. It will detect but not clean.

>
>> http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=81059
>>
>> This links to information on how to disable "system restore" in
>> order to remove the infection. It may be possible to use some offline
>> scanner like BitDefender to remove the worm but it's better done in
>> Windows.
>
> It is better to clean the malware off the computer, then purge the
> system restore thingy.

Sometimes the way to remove the malware is to remove the
system restore folders but only after a backup is made of the
entire HD.

> The malware can't act against you actively, when
> it is not running. Use drive imaging software, system restore be-damned.
>

I agree. But some malware needs to be running so it can
be detected and fully removed.

John

David H. Lipman

unread,
Jul 29, 2010, 10:10:03 PM7/29/10
to
From: "Ant" <n...@home.today>

| "Ant" wrote:


Thank you Ant.

You 'da man! :-)

TBerk

unread,
Jul 29, 2010, 10:17:48 PM7/29/10
to
On Jul 29, 12:46 am, sfdavidka...@yahoo.com (David Kaye) wrote:
<snip>
> In over 8 years doing this full time I've only had to reformat maybe 4 times.  

> I've had to reinstall the OS about 10 times.  But this one really caught me by
> surprise.

Lets see...


CP/M
8" floppy disks
5 1/4" floppies, but with Hard Sector holes cut in them
Data Storage on Cassette Tape
Soldering together your own Serial Cable to make sure you got the
Handshaking right.

Eight years, heh heh. (Not flam'n,) just ruminating nostalgically.

Hell, 'the Cuckoo's Egg' for that matter.

TBerk
Now I want to pop some corn and go watch a 'Sneakers' & 'Hackers'
double bill...

David H. Lipman

unread,
Jul 30, 2010, 6:20:58 AM7/30/10
to
From: "TBerk" <bayar...@yahoo.com>

| On Jul 29, 12:46 am, sfdavidka...@yahoo.com (David Kaye) wrote:
| <snip>
>> In over 8 years doing this full time I've only had to reformat maybe 4 times.
>> I've had to reinstall the OS about 10 times. But this one really caught me by
>> surprise.

| Lets see...


| CP/M
| 8" floppy disks
| 5 1/4" floppies, but with Hard Sector holes cut in them
| Data Storage on Cassette Tape
| Soldering together your own Serial Cable to make sure you got the
| Handshaking right.

| Eight years, heh heh. (Not flam'n,) just ruminating nostalgically.

| Hell, 'the Cuckoo's Egg' for that matter.

RJK

unread,
Jul 30, 2010, 12:46:22 PM7/30/10
to

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:i2u99...@news5.newsguy.com...
From: "TBerk" <bayar...@yahoo.com>

| Lets see...


:-)


I've got a tape streamer in a jjiffy bag, floating around in a plastic sack
of old spares, out in the garage if you want it :-)
...and the ISA interface card and two or three TR3 tapes to go with it !!

....whilst looking for a picture of it, I found :-
http://cgi.ebay.co.uk/SEAGATE-CTT3200I-F-CTT3200R-F-TAPE-DRIVE-fbc1a8-/350250404498
...same as mine :-)

...I wonder if the vendor will ever sell it ?

I do remember that the chap that bought it paid around £400 if memory serves
!

regards, Richard

RJK

unread,
Jul 30, 2010, 12:53:38 PM7/30/10
to

"RJK" <nos...@hotmail.com> wrote in message
news:BlD4o.38017$lS1....@newsfe12.iad...

| Lets see...


:-)