W32.Ramnit.N

Printer Friendly Page

Discovered: April 07, 2011
Updated: April 07, 2011 10:20:46 AM
Also Known As: W32/Ramnit.N [F-Secure]
Systems Affected: Windows

W32.Ramnit.N is a virus that infects .exe, .dll. and .html files. It also downloads other threats on to the compromised computer.

Discovered: April 07, 2011
Updated: April 07, 2011 10:20:46 AM
Also Known As: W32/Ramnit.N [F-Secure]
Systems Affected: Windows

When the virus is executed, it creates the following files:
%ProgramFiles%\Microsoft\WaterMark.exe
%ProgramFiles%\Microsoft\[ORIGINAL FILE NAME].exe

The virus then creates the following registry entry, so that it starts when Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "c:\windows\system32\userinit.exe,,c:\program files\microsoft\watermark.exe"

It also creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WASAntidot\"disable" = "1"

The virus then infects .exe, .dll. and .html files with a copy of itself.

The virus may also download other threats on to the compromised computer.