Monday, March 21, 2016

VIRUS.WIN32.RAMNIT.A

by Atlantis on April 12th, 2012 in Malware Descriptions.
Detect: Virus.Win32.Ramnit.a
Platform: Win32
Type: Virus
Size: 103936 bytes
Language: C++
md5: CDF0778E1B80069D137A3E7A0C7C787F
sha1: E1826123B190C1FB3D11BBEA33EF6D1CCEABAD43
Summary
It is a malicious program which infects files on a User's PC.
Technical Details
Spreading over Removable Storage Devices
On all removable storage devices connected to the infected computer, the virus creates the following files:
:\Recycler\S-\.cpl (3584 bytes)
:\Recycler\S-\.exe (56832 bytes)
:\Copy of Shortcut to (1).lnk (691 bytes)
:\Copy of Shortcut to (2).lnk (722 bytes)
:\Copy of Shortcut to (3).lnk (858 bytes)
:\Copy of Shortcut to (4).lnk (867 bytes)
:\autorun.inf (11964 bytes)
where
  •  — is a digit identifier (e.g.: "1-4-83-4678327503-5842818778-105234524-7024"),
  •  — random Latin alphabet sequences (e.g.: "xVgGwSIp", "lwTCZgQP").
The "autorun.inf" file contains a malicious script:
[autorun]
action=Open
icon=%WinDir%\system32\shell32.dll,4
shellexecute=\RECYCLER\S-\.exe
shell\explore\command=\RECYCLER\S-\.exe
USEAUTOPLAY=1
shell\Open\command=\RECYCLER\S-\.exe
The script is executed each time the user opens the infected disk using the Windows Explorer if the autoplay function is turned on. Being executed, the script launches the ".exe" file. Shortcuts created by the malicious program are exploits which use the CVE-2010-2568 vulnerability. In the "shell32.dll" library, this vulnerability consists in error of the shortcut processing (lnk and .pif files) and allows launching a code of random Windows libraries when hitting icons to open programs by the Windows Explorer. The code of the ".cpl" library is launched. Being executed, it launches the ".exe" file. The malicious program prevents modifying the files described above and creates them in an endless cycle.
File Infection
The virus infects files with the following extensions:
exe
html
dll
htm
Executive files and Windows dynamic link libraries are infected by adding the virus body in the end of the last PE-section of the target file. With that, an entry point to the program changes in such a way as to allow the virus code to manage it. While infecting the HTML, HTM files, the following script is added in the end of the target document:
Thus, upon each launch, the virus body is saved to the current user's temporary folder as
%Temp%\svchost.exe
and launched for execution.
Payload
Once the infected file is launched, the Trojan decrypts and extracts the following file from its body:
%WorkDir%\Srv.exe
Then, the created file is launched for execution. With that, a copy of the file is created and launched:
%Program Files%\Microsoft\WaterMark.exe
Then, the "WaterMark.exe" process launches an example of the "svchost.exe" system process and injects its code into this process which performs the following actions:
  • Creates a unique identifier with the following name to control the uniqueness of its process in the system:
    Global\SYSTEM_DEMETRA_MAIN
  • Modifies a registry key value to automatically run a malicious software copy created earlier:
    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit" = "%System%\userinit.exe,,%Program files%\microsoft\watermark.exe"
    With that, the copy is launched by the "winlogon.exe" process even if a computer starts in a safe mode.
  • Prevents modifying autorun registry key as well as the "WaterMark.exe" file.
  • Creates a configuration file to store the current settings of the malicious software:
    %System%\dmlconf.dat
  • Visit the following resource to check for a connection to the Internet:
    google.com
  • Realizes the backdoor. To get a list of commands, it connects to the servers:
    tybdtyutjfyvetscev.com
    ervwetyrbuyouiylkdhrbt.com
    tybsyiutnrtvtybdrser.com
    Depending on the command(s) get from the intruder, the backdoor can perform the following actions:
    - upload files to the infected computer and launch them for execution.
    - connect to another server to get commands.
  • The code injected into the address space of the "svchost.exe" process executes a functionality described in the Spreading over Removable Storage Devices and File Infection sections.
Removal Recommendations
To delete a malicious program, proceed through the steps listed below:
  1. Run a full scan of your computer using the Antivirus program with the updated definition database.
  2. Do not launch the EXE, HTM, HTML files and do not reboot your computer until a full scan is complete.
  3. Restore the infected files from the backup copies.
  4. Restore the registry key value (How to Work with System Registry):
    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit" = "userinit.exe"
  5. Delete the following files:
    :\Recycler\S-\.cpl (3584 bytes)
    :\Recycler\S-\.exe (56832 bytes)
    :\Copy of Shortcut to (1).lnk (691 bytes)
    :\Copy of Shortcut to (2).lnk (722 bytes)
    :\Copy of Shortcut to (3).lnk (858 bytes)
    :\Copy of Shortcut to (4).lnk (867 bytes)
    :\autorun.inf (11964 bytes)
    %Temp%\svchost.exe
    %WorkDir%\Srv.exe
    %Program Files%\Microsoft\WaterMark.exe
  6. Delete the original Trojan file (its file name and location depends on the way the Trojan originally penetrated a user’s computer).
  7. Delete an original Trojan file (its location on the infected PC depends on the way the program has been installed on the PC).
  8. Clean the Temporary Internet Files folder which contains infected files

No comments: