Win32.Ramnit.N (BitDefender), Virus:Win32/Ramnit.AE (Microsoft), Trojan.Win32.Patched.md (Kaspersky), Virus.Win32.Ramnit.a!dam (v) (VIPRE), Win32.Rmnet.8 (DrWeb), Win32.Ramnit.N (B) (Emsisoft), W32/Ramnit.b (McAfee), W32.Ramnit.B!inf (Symantec), Virus.Win32.Zbot (Ikarus), Win32.Ramnit.N (FSecure), Win32/Zbot.G (AVG), Win32:Ramnit-inf (Avast), PE_RAMNIT.KC (TrendMicro), Backdoor.Win32.Farfli.FD, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, Virus
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: a61c1e2f7d8e12f860cc81f7e1f02b24
SHA1: 01db0f6f821bdac7f440f0fed29588d73ef70c97
SHA256: 3a3442c8b37d63a648c85ee70ad27107701e5cf842b3682548556188a6288530
SSDeep: 3072:jox34lgaah0gQYujo9ia8wDekuc0Sa2UoA8wklJ1bH5yj:jm38gaQJgjha8w3BAdkbB5Y
Size: 129506 bytes
File type: DLL
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: LLC Pentagon
Created at: 2008-10-11 00:48:33
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
regsvr32mgr.exe:2728
regsvr32.exe:2632
ajvmmkjkbtsibwto.exe:3016
The Backdoor injects its code into the following process(es):
ctfmon.exe:252
File activity
The process regsvr32mgr.exe:2728 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ajvmmkjkbtsibwto.exe (601 bytes)
The process regsvr32.exe:2632 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%System%\regsvr32mgr.exe (116 bytes)
The process ajvmmkjkbtsibwto.exe:3016 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\psyykfdm.sys (15 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\psyykfdm.sys (0 bytes)
Registry activity
The process ctfmon.exe:252 makes changes in the system registry.
The Backdoor deletes the following value(s) in system registry:
The Backdoor disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"
The process regsvr32mgr.exe:2728 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 37 2A 77 31 C3 1F 75 5A 6D A2 63 A4 D4 6A 74"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"ajvmmkjkbtsibwto.exe" = "ajvmmkjkbtsibwto"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The process regsvr32.exe:2632 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 65 13 CC 41 3C B7 52 B3 59 51 0C 84 0D 00 10"
The process ajvmmkjkbtsibwto.exe:3016 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 98 77 4F F2 DF E7 80 FB 3A EE 1D 7A 9B 4B C4"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Backdoor installs the following kernel-mode hooks:
ZwCreateKey
ZwOpenKey
The Backdoor installs the following user-mode hooks in USER32.dll:
TranslateMessage
The Backdoor installs the following user-mode hooks in WS2_32.dll:
WSASendTo
WSARecvFrom
WSASend
recv
WSARecv
send
closesocket
recvfrom
sendto
The Backdoor installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtResumeThread
ZwQueryDirectoryFile
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
regsvr32mgr.exe:2728
regsvr32.exe:2632
ajvmmkjkbtsibwto.exe:3016 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temp\ajvmmkjkbtsibwto.exe (601 bytes)
%System%\regsvr32mgr.exe (116 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\psyykfdm.sys (15 bytes) - Reboot the computer.