Discovered: January 19, 2010
Updated: March 02, 2015 11:03:26 AM
Type: Virus
Infection Length: 10,240 bytes
Systems Affected: Windows
CVE References: CVE-2010-2568 | CVE-2013-0422 | CVE-2013-1493

W32.Ramnit is a worm that spreads through removable drives. The worm also functions as a back door allowing a remote attacker to access the compromised computer.

Infection
The threat is distributed through removable drives, infected files on public FTP servers, exploit kits served through malicious advertisements on legitimate websites or social media, and is also bundled with potentially unwanted applications.

To spread itself, the threat will infect EXE, DLL, HTM, and HTML files and make copies of itself on removable and fixed drives.

Functionality

The primary function of this threat is to steal information from the compromised computer. It does this by downloading various modules that can perform the following tasks:

  • Steal cookies to hijack online sessions for banking and social media websites. The threat steals cookies from the compromised computer’s browsers, stores them in archive files, and sends them to the C&C server.
  • Steal login credentials for a large number of FTP clients.
  • Monitor a victim’s frequently visited websites, including online banking websites. When the threat recognizes that a victim is on a specific site, it will act as a man-in-the-browser (MITB) and inject code into the web page. It will then request that the user submit sensitive information that is not normally submitted to a bank during login. The attacker can then use this information to access the victim’s credit cards and bank accounts.
  • Give the attacker remote access to the compromised computer.
  • Steal files from the compromised computer. The threat scans for specific folders or files that may contain login credentials and then archives them, and sends them to the C&C server.
  • Allow the attacker to remotely connect to the compromised computer and browse the file system through an anonymous FTP server. The FTP server lets the attacker upload, download, and delete files, and execute commands.
The threat will also write a copy of the installer to the computer’s file system and store a copy of itself in memory. This allows the threat to be dropped back onto the file system and executed again if the compromised computer’s antivirus software detects and deletes the threat, or quarantines it.

It will also open a back door and connect to a C&C server so it can receive commands and request the modules that are used to steal information from the compromised computer. The commands that the threat can receive include capturing screenshots, uploading cookies, gathering computer-related information, and deleting root registry keys to prevent the computer from starting up.

Geographical distribution
Symantec has observed the following geographic distribution of this threat:




SYMANTEC PROTECTION SUMMARY
The following Symantec detections protect against this threat family:

AV:
IPS:

Antivirus Protection Dates

  • Initial Rapid Release version January 19, 2010 revision 040
  • Latest Rapid Release version June 19, 2018 revision 005
  • Initial Daily Certified version January 19, 2010 revision 051
  • Latest Daily Certified version June 19, 2018 revision 008
  • Initial Weekly Certified release date January 20, 2010

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Discovered: January 19, 2010
Updated: March 02, 2015 11:03:26 AM
Type: Virus
Infection Length: 10,240 bytes
Systems Affected: Windows
CVE References: CVE-2010-2568 | CVE-2013-0422 | CVE-2013-1493

1. Prevention and avoidance
1.1 User behavior and precautions
1.2 Patch operating system and software
2. Infection Method
2.1 Removable drives
2.2 Remotely exploitable vulnerabilities
2.3 File infection
2.4 Public File Transfer Protocol servers
2.5 Potentially unwanted applications
3. Functionality
3.1 System modifications
3.2 Network activity
3.3 Additional functionality
4. Additional Information




1. PREVENTION AND AVOIDANCE
The following actions can be taken to avoid or minimize the risk from this threat.


1.1 User behavior and precautions
As this threat spreads through removable drives, users are advised to take caution when connecting a removable drive to their computer. This threat can use the AutoRun feature in Windows to spread. It is a good security practice to disable this feature so that removable devices do not execute when they are inserted into a computer. It should be noted that the AutoRun feature is disabled by default for non-optical removable drives in recent versions of Windows and on computers with certain updates applied.

Removable drives should also be disconnected when not required and, if write access is not required, enable the read-only mode if the option is available on the drive.

Do not click on any links or advertisements if it is unclear if they come from trusted sources. The web browser will normally show where the link leads to when the user hovers over the link with the mouse. Users can also check online website-rating services such as safeweb.norton to see if the site is deemed safe to visit.

Do not install programs on your computer if you do not know where they come from. Be suspicious of files that are bundled with other applications and do not install them if you do not know what they are.


1.2 Patch operating system and software
Attackers have been observed spreading the threat through exploit kits hosted on malicious advertisements or compromised sites. These kits are designed to take advantage of any software bugs on your computer in order to install malware. You can prevent exploit kits from succeeding by keeping your operating system and software up to date.

It is recommended that users turn on automatic updates, if available, so that the latest patches and updates can be applied to their computer when they are made available.



2. INFECTION METHOD
The threat is distributed through removable drives (USB keys and network shares), public FTP servers, exploit kits served through malicious advertisements on legitimate websites or social media, and bundled with potentially unwanted applications.


2.1 Removable drives
The threat can use AutoRun to spread. AutoRun is a Windows feature that allows an executable to run automatically when a drive is accessed. The threat copies itself and an accompanying configuration file called autorun.inf to removable drives. An autorun.inf file is simply a text file that contains information that specifies how the file should be displayed, along with options for its execution.

This feature should be disabled so that files on removable devices do not execute when the device is inserted into a computer. The AutoRun feature is disabled by default for non-optical removable drives in recent versions of Windows and on computers with certain updates applied.

To spread itself, the threat may create the following files on any removable drive present:

  • %DriveLetter%\RECYCLER\[GUID]\[RANDOM CHARACTERS].exe
  • %DriveLetter%\RECYCLER\[GUID]\[RANDOM CHARACTERS].cpl
  • %DriveLetter%\autorun.inf
  • %DriveLetter%\Copy of Shortcut to (1).lnk
  • %DriveLetter%\Copy of Shortcut to (2).lnk
  • %DriveLetter%\Copy of Shortcut to (3).lnk
  • %DriveLetter%\Copy of Shortcut to (4).lnk


2.2 Remotely exploitable vulnerabilities
The threat may be propagated through exploits for the following vulnerabilities:

Attackers may try to serve exploits through malicious advertisements on legitimate websites and social media. Attackers may compromise the advertisements on these sites by injecting malicious code into them, which redirects visitors to another web page hosting the exploit kit. The kit then checks the user’s computer for potentially vulnerable programs and attempts to exploit them accordingly. This will allow the kit to drop the threat onto the computer.


2.3 File infection
The threat infects the following file types:
  • .exe
  • .dll
  • .htm
  • .html

If infected files from a compromised computer are shared, the threat can spread. Infected HTML files residing on a web server may be served to users of the web server, which may also help to further spread the threat.


2.4 Public File Transfer Protocol servers

The threat may also be spread by placing infected files on public FTP servers on compromised computers to spread to other computers.


2.5 Potentially unwanted applications
The threat may come bundled with other applications.



3. FUNCTIONALITY
When the threat is executed, it may perform the following actions:


3.1 System modifications
The following side effects may be observed on computers compromised by this threat:


File creation
The threat may create the following files on the compromised computer:
  • %UserProfile%\Start Menu\Programs\Startup\[RANDOM CHARACTERS].exe
  • %UserProfile%\[RANDOM CHARACTERS].log
  • %SystemDrive%\Program Files\[RANDOM CHARACTERS]\[RANDOM CHARACTERS].exe
  • %ProgramFiles%\MNetwork
  • %CurrentFolder%\[INFECTED FILE NAME]Srv.exe
  • %DriveLetter%\autorun.inf
  • %SystemDrive%\Documents and Settings\All Users\Application Data\[EIGHT PSEUDO-RANDOM CHARACTERS].log
  • %UserProfile%\Application Data\[EIGHT PSEUDO-RANDOM CHARACTERS].exe
  • %UserProfile%\Local Settings\Temp\[EIGHT PSEUDO-RANDOM CHARACTERS].sys
  • %UserProfile%\Local Settings\Temp\[EIGHT PSEUDO-RANDOM CHARACTERS].exe
  • %SystemDrive%\Documents and Settings\All Users\Application Data\[RANDOM FILE NAME].log


Registry subkeys/entries created
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc


Registry subkeys/entries deleted
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE
  • HKEY_LOCAL_MACHINE\SYSTEM
  • HKEY_LOCAL_MACHINE\HARDWARE
  • HKEY_CURRENT_USER\SOFTWARE


Registry subkeys/entries modified
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "%Windir%\system32\userinit.exe,,%SystemDrive%\Program Files\[RANDOM CHARACTERS]\[RANDOM CHARACTERS].exe"


MBR infection
The threat also infects the master boot record (MBR) so it can remain persistent on the compromised computer. It does this by moving the clean MBR to the end of the disk and then overwriting the original MBR with a malicious one.


3.2 Network activity
The threat may be controlled remotely by a command-and-control (C&C) server and it may be instructed to download and install various files to perform other actions on the compromised computer.


Command-and-control connections
The threat uses a domain generation algorithm (DGA) to generate a number of remote domains to connect to its C&C server. The threat is currently limited to creating 300 domains for each seed value of which one is hard coded into the threat.

The following are some example domains generated by the threat:
  • rmnzerobased.com
  • awecerybtuitbyatr.com
  • awrcaverybrstuktdybstr.com
  • qwevrbyitntbyjdtyhvsdtrhr.com
  • yeiolertxwerh.com
  • ytioghfdghvcfgbgvdf.com

The threat opens a back door on the compromised computer that allows it to receive approximately 21 commands, including the following:
  • Capture screenshots
  • Upload cookies
  • Gather computer-related information
  • Delete the root registry to prevent the computer from starting up
  • Request modules and module lists


FTP server
The threat utilizes its own FTP server that can be used to listen on TCP port 22 for commands and connections. The EXEC command can allow the attacker to execute commands through the running FTP server. The following commands are supported by the attacker’s FTP server:
  • USER
  • PASS
  • CWD
  • CDUP
  • QUIT
  • PORT
  • PASV
  • TYPE
  • MODE
  • RETR
  • STOR
  • APPE
  • REST
  • RNFR
  • RNTO
  • ABOR
  • DELE
  • RMD
  • MKD
  • LIST
  • NLST
  • SYST
  • STAT
  • HELP
  • NOOP
  • SIZE
  • EXEC
  • PWD


VNC server
The threat may also run a virtual network computing (VNC) server on the compromised computer. The VNC server is hard coded to listen on TCP port 23 and allows a remote attacker to gain access to the desktop of the compromised computer without authentication.


3.3 Additional functionality


Self-protection mechanism
To protect itself, the threat has a watchdog process that repeatedly sets registry subkeys to lower the security settings and ensure that the subkey used for persistence is intact. The threat keeps a copy of the installer in memory and checks if the copy of the threat on the disk is present. If the threat discovers that the disk-based copy of itself is missing, it will drop a new copy of the installer to the disk and launch the installer to infect the computer again.


Stealing cookies

The threat may steal cookies to hijack online sessions for banking and social media websites. The threat steals cookies from the compromised computer’s browsers, stores them in archive files, and sends them to the C&C server. The threat may steal cookies from Internet Explorer, Firefox, Opera, Flash, Safari, and Chrome.


Stealing login credentials
The threat may steal login credentials for a large number of FTP clients including, Windows/Total commander, FlashXp, FtpCommander, and SmartFtp. The threat accomplishes this by checking configuration files and registry hives for any of the applications.


Man-in-the-browser/webinjects
The threat may monitor a victim’s frequently visited websites, including online banking websites. When the threat recognizes that a victim is on a specific site, such as a bank, it will act as a man-in-the-browser (MITB) and inject code into the web page. The code will request that the user submit sensitive information not normally required during a standard login process. Any data entered by the user is collected and sent to the attacker.



The attacker can then use this information to access the victim’s credit cards and bank accounts. A typical webinject may modify a bank login web page to include requests for credit card details, date of birth, or even PIN codes for bank cards.


Stealing files
The threat may also steal files from the compromised computer. The threat scans for specific folders or files that may contain login credentials and then archives them and sends them to the C&C server. The threat accomplishes this by using the SHGetFolderPathA API with CSIDL_LOCAL_APPDATA to locate the folder path. It then uses GetLogicalDriveStrings to find details on valid drives on the compromised computer and then checks the drive type through GetDriveType. If the type is DRIVE_FIXED, the threat will scan the drive.

The following are some example file name patterns that the threat tries to search for:
  • *wallet.dat
  • *pass*
  • *pass*.txt
  • *pass*.docx
  • *pass*.xlsx
  • *password*
  • *password*.txt
  • *password*.docx
  • *password*.xlsx
  • *passwords*.
  • *passwords*.txt
  • *passwords*.docx
  • *passwords*.xlsx



4. ADDITIONAL INFORMATION
For more information on this threat family, please see the following resources:

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Discovered: January 19, 2010
Updated: March 02, 2015 11:03:26 AM
Type: Virus
Infection Length: 10,240 bytes
Systems Affected: Windows
CVE References: CVE-2010-2568 | CVE-2013-0422 | CVE-2013-1493

You may have arrived at this page either because you have been alerted by your Symantec product about this risk, or you are concerned that your computer has been affected by this risk.

Before proceeding further we recommend that you run a full system scan . If that does not resolve the problem you can try one of the options available below.



FOR NORTON USERS
If you are a Norton product user, we recommend you try the following resources to remove this risk.

Removal Tool


If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .


How to reduce the risk of infection
The following resources provide further information and best practices to help reduce the risk of infection.


FOR BUSINESS USERS
If you are a Symantec business product user, we recommend you try the following resources to remove this risk.

Identifying and submitting suspect files
Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec.


Removal Tool

If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .


How to reduce the risk of infection
The following resource provides further information and best practices to help reduce the risk of infection.
Protecting your business network



MANUAL REMOVAL
The following instructions pertain to all current Symantec antivirus products.

1. Performing a full system scan
How to run a full system scan using your Symantec product


2. Restoring settings in the registry
Many risks make modifications to the registry, which could impact the functionality or performance of the compromised computer. While many of these modifications can be restored through various Windows components, it may be necessary to edit the registry. See in the Technical Details of this writeup for information about which registry keys were created or modified. Delete registry subkeys and entries created by the risk and return all modified registry entries to their previous values.