Win32.Ramnit.N_71edf02ea5

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Worm creates the following process(es):

regsvr32.exe:500
regsvr32mgr.exe:1388

The Worm injects its code into the following process(es):

Explorer.EXE:1684

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process regsvr32.exe:500 makes changes in the file system.

The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp-log.txt (11204 bytes)
%System%\regsvr32mgr.exe (5442 bytes)

The process regsvr32mgr.exe:1388 makes changes in the file system.

The Worm creates and/or writes to the following file(s):

%WinDir%\system.ini (72 bytes)

Registry activity

The process regsvr32.exe:500 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF E6 43 81 4E 18 A5 90 A5 77 50 DC 1C C0 39 E3"

The process regsvr32mgr.exe:1388 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas\695404737]
"35845605" = "343"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas\695404737]
"50183847" = "91B7B29E83DF27BD845620F31F81699AEA234A0AF364777AFD8013C50880BEED261AF09F76D756B22D8490BFC624276D3076D4A74CC35D08D3701A2CD26E8FE302DFAECE118977A4B1E380EEB284A8F1F5762C79B4FF22C5F28C90BFC5888DEA3DA748B07164541111D2655DA3E285F8167DE1B62CBC7E30883AFB31B5B55DA8"
"43014726" = "0A00687474703A2F2F616B7A696C2E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F7777772E63723473682E676F2E726F2F6C6F676F2E67696600687474703A2F2F6172746761732E636F6D2E62722F627574746F6E2E67696600687474703A2F2F6561726E6D6F6E657962642E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F736F68616D776F726C642E696E2F696D616765732F627574746F6E2E67696600687474703A2F2F73696D6963616E692E636F6D2F6C6F676F2E67696600687474703A2F2F7777772E73746F72667265652E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F6E65776E69726D616E2E696E2F627574746F6E2E67696600687474703A2F2F7777772E6D736963742E696E2F696D616765732F6C6F676F2E67696600687474703A2F2F67616E757A6173762E636F6D2F6C6F676F2E676966"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "198"

"21507363" = "0"
"28676484" = "35"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A 68 46 21 CC 4A BC E5 FC 43 3C 3B 77 AD 63 CD"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\System32]
"regsvr32mgr.exe" = "%System%\regsvr32mgr.exe:*:Enabled:ipsec"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Task Manager is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"

Dropped PE files

MD5	File path
0ba74ebf12f69c3e97e999ccbfff6920	c:\WINDOWS\system32\regsvr32mgr.exe

HOSTS file anomalies

The Worm modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1	www.Brenz.pl

Rootkit activity

The Worm installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):

   regsvr32.exe:500
   regsvr32mgr.exe:1388
   

3. Delete the original Worm file.
   
4. Delete or disinfect the following files created/modified by the Worm:

   %Documents and Settings%\%current user%\Local Settings\Temp-log.txt (11204 bytes)
   %System%\regsvr32mgr.exe (5442 bytes)
   %WinDir%\system.ini (72 bytes)

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
   
6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	336257	336384	4.41408	4353327e7c370382de563f088c87535e
.rdata	344064	89200	89600	3.45699	b552b88f3a193d16770366517f446976
.data	434176	323732	311808	0.734163	c9dad4475d355df49a1ae8fcd0ce82d6
.rsrc	761856	480	512	3.27493	c31f0039ae1631f5712fd39f46c1dc92
.reloc	765952	98700	98816	1.64638	e8d3f58e4e0cbc1cdaf177bfb4f7045a
.text	868352	1081344	1079296	5.48309	9fd3f4c6cfbecd4a8c1da0071521f7e2

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Worm connects to the servers at the folowing location(s):

Strings from Dumps

Explorer.EXE_1684_rwx_00EE0000_00002000:

SHELL32.DLL

SHELL32.DLL

ShellExecuteA

ShellExecuteA

KERNEL32.DLL

KERNEL32.DLL

Explorer.EXE_1684_rwx_00EF0000_00001000:

|explorer.exeM_1684_

|explorer.exeM_1684_