1. Symantec/
  2. Security Response/
  3. W32.Ramnit


Risk Level 2: Low

January 19, 2010
March 2, 2015 11:03:26 AM
Infection Length:
10,240 bytes
Systems Affected:
CVE References:
CVE-2013-1493, CVE-2010-2568, CVE-2013-0422
W32.Ramnit is a worm that spreads through removable drives. The worm also functions as a back door allowing a remote attacker to access the compromised computer.

The threat is distributed through removable drives, infected files on public FTP servers, exploit kits served through malicious advertisements on legitimate websites or social media, and is also bundled with potentially unwanted applications.

To spread itself, the threat will infect EXE, DLL, HTM, and HTML files and make copies of itself on removable and fixed drives.


The primary function of this threat is to steal information from the compromised computer. It does this by downloading various modules that can perform the following tasks:
  • Steal cookies to hijack online sessions for banking and social media websites. The threat steals cookies from the compromised computer’s browsers, stores them in archive files, and sends them to the C&C server.
  • Steal login credentials for a large number of FTP clients.
  • Monitor a victim’s frequently visited websites, including online banking websites. When the threat recognizes that a victim is on a specific site, it will act as a man-in-the-browser (MITB) and inject code into the web page. It will then request that the user submit sensitive information that is not normally submitted to a bank during login. The attacker can then use this information to access the victim’s credit cards and bank accounts.
  • Give the attacker remote access to the compromised computer.
  • Steal files from the compromised computer. The threat scans for specific folders or files that may contain login credentials and then archives them, and sends them to the C&C server.
  • Allow the attacker to remotely connect to the compromised computer and browse the file system through an anonymous FTP server. The FTP server lets the attacker upload, download, and delete files, and execute commands.
The threat will also write a copy of the installer to the computer’s file system and store a copy of itself in memory. This allows the threat to be dropped back onto the file system and executed again if the compromised computer’s antivirus software detects and deletes the threat, or quarantines it.

It will also open a back door and connect to a C&C server so it can receive commands and request the modules that are used to steal information from the compromised computer. The commands that the threat can receive include capturing screenshots, uploading cookies, gathering computer-related information, and deleting root registry keys to prevent the computer from starting up.

Geographical distribution
Symantec has observed the following geographic distribution of this threat:

The following Symantec detections protect against this threat family:


Antivirus Protection Dates

  • Initial Rapid Release version January 19, 2010 revision 040
  • Latest Rapid Release version January 15, 2018 revision 020
  • Initial Daily Certified version January 19, 2010 revision 051
  • Latest Daily Certified version January 15, 2018 revision 024
  • Initial Weekly Certified release date January 20, 2010
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube