Win32/RAMNIT.A Anyone?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View


Sorry about the crosspost to ba.internet, but I know there are malware experts
out there.  

Does anybody have EXPERIENCE with Win32/RAMNIT.A ?  I'm having a devil of a
time removing it.  The only tool the detects it consistently is MS Security
Essentials, and MSSE keeps counting it and "disinfecting" it.  

I'm not sure if it's a virus or a worm.  MSSE says it's a virus, but I can't
figure out what's launching it.

I have eliminated one rootkit and subsequent scans show no more rootkits.  
This thing has dropped startup payloads into the StartUp folder, into the Run
keys, into Prefetch, and it masquerades as everything from random 4-letter
clusters to names like "Microsoft Suite", etc.

It also captures the date when Windows was first installed, so I can't
reliably search for the thing via date, either.  

Whenever MSSE detects a new round of infections (15, 78, all kinds of counts)
the infections are in everything from drivers to executables in all kinds of
directories.  

At the moment I'm running the computer in safe mode with no Internet and MSSE
is not detecting any more Ramnit.  I've scanned it 3 times.  But as soon as I
go back into regular mode and get an Internet connection back up it'll start
infecting again.

Oh, and I've reset the Winsock stack twice just in case there's a little
wedgie in there.  Still comes back.

Any help would be most appreciated.  You can reach me directly by email.  The
address is valid.

Thanks.


Re: Win32/RAMNIT.A Anyone?




A friend of mine that does virus removal as part of his business swears
by MalwareBytes


http://www.malwarebytes.org/mbam.php

Re: Win32/RAMNIT.A Anyone?




Quoted text here. Click to load it

I do this professionally as well.  I asked *specifically* for comments from
people who have *experience* with this threat.  I used MalwareBytes
Antimalware several times including the complete disk scan for 2 1/2 hours.  
It did not detect anything.  

Again, I'm interested in hearing only from people who have *experience* with
Win32.Ramnit.A

Thank you.


Re: Win32/RAMNIT.A Anyone?





David Kaye wrote:
Quoted text here. Click to load it

Well, have you tried PC Butts' Remove-it software?

Whee Haw!!!
Buffalo



Re: Win32/RAMNIT.A Anyone?




| Sorry about the crosspost to ba.internet, but I know there are malware experts
| out there.

| Does anybody have EXPERIENCE with Win32/RAMNIT.A ?  I'm having a devil of a
| time removing it.  The only tool the detects it consistently is MS Security
| Essentials, and MSSE keeps counting it and "disinfecting" it.

| I'm not sure if it's a virus or a worm.  MSSE says it's a virus, but I can't
| figure out what's launching it.

| I have eliminated one rootkit and subsequent scans show no more rootkits.
| This thing has dropped startup payloads into the StartUp folder, into the Run
| keys, into Prefetch, and it masquerades as everything from random 4-letter
| clusters to names like "Microsoft Suite", etc.

| It also captures the date when Windows was first installed, so I can't
| reliably search for the thing via date, either.

| Whenever MSSE detects a new round of infections (15, 78, all kinds of counts)
| the infections are in everything from drivers to executables in all kinds of
| directories.

| At the moment I'm running the computer in safe mode with no Internet and MSSE
| is not detecting any more Ramnit.  I've scanned it 3 times.  But as soon as I
| go back into regular mode and get an Internet connection back up it'll start
| infecting again.

| Oh, and I've reset the Winsock stack twice just in case there's a little
| wedgie in there.  Still comes back.

| Any help would be most appreciated.  You can reach me directly by email.  The
| address is valid.

| Thanks.


What is the fully qualified name and path to the file deemed infected with
RAMNIT.A and
did you capture a copy of this malware ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Win32/RAMNIT.A Anyone?



David Kaye wrote:
Quoted text here. Click to load it

No experience, but if I were in your shoes I'd start here:

<http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_26343474.html

jc

Re: Win32/RAMNIT.A Anyone?



jcdill wrote:
Quoted text here. Click to load it

I saw no answer to the 'Question' - but I did copy and paste the HJT log
into www.hijackthis.de - there were six questionable entries highlighted.

Re: Win32/RAMNIT.A Anyone?




Quoted text here. Click to load it

Been there, done that.  Thanks anyway.  I'm reinstalling Windows and the
programs this afternoon.  I hate to do that.  Oh well.  


Re: Win32/RAMNIT.A Anyone?




| David Kaye wrote:
Quoted text here. Click to load it


| No experience, but if I were in your shoes I'd start here:

| <http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_26343474.html

The problem is that may not be the same based upon the !HTML suffix which infers
HTML code
and possibly exploitation rather than the actual infection.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Win32/RAMNIT.A Anyone?



Quoted text here. Click to load it

It's a shame he couldn't provide you with a sample. His description of
symptoms doesn't exactly match up with what this malware is/does. This
could be new malware worm dropping ramnit.a as it finds new systems.



Re: Win32/RAMNIT.A Anyone?




Quoted text here. Click to load it

What kind of sample?  A sample of the malware?  I'm loathe to provide that; I
don't want to be responsible for infecting any computers.  I've already given
some filenames and directories.  

But regardless of what names I provide, there is still something being
launched that I'm unaware of that is rebuilding the files I see.  As
previously stated, I've removed the HD, scanned it for rootkits and malware
and reinstalled it and the stuff comes back.  

Well, folks, thanks anyway.  I'm just going to reinstall Windows, something I
seldom have to do.  It's got me beat and I can't spend any more time on this
issue.  I'm backed up in work again.


Re: Win32/RAMNIT.A Anyone?





Quoted text here. Click to load it

| What kind of sample?  A sample of the malware?  I'm loathe to provide that; I
| don't want to be responsible for infecting any computers.  I've already given
| some filenames and directories.

| But regardless of what names I provide, there is still something being
| launched that I'm unaware of that is rebuilding the files I see.  As
| previously stated, I've removed the HD, scanned it for rootkits and malware
| and reinstalled it and the stuff comes back.

| Well, folks, thanks anyway.  I'm just going to reinstall Windows, something I
| seldom have to do.  It's got me beat and I can't spend any more time on this
| issue.  I'm backed up in work again.


Providing a sample of malware to http://www.uploadmalware.com/ will *NOT* cause
more
computers to be infected.
On the contrary, people who have access to the files are experienced at handling
malware.
The culmination of all submissions get distributed to the listed anti malware
companies.

Therefore, sample submission to UploadMalware leads to greater recognition of
submitted
samples.

Vendor list:
http://www.uploadmalware.com/vendors.php


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Win32/RAMNIT.A Anyone?



snip stuff about experienced posters only.

I come here to learn, and there are some experts here.  The OP
considers himself an expert and only wants
talk to experts.  I would say his final approach of wiping and re-
installing the OS (which he didn't mention),
but first trying to save .docs, mp3 and other important files, is the
only solution.  I learned that RAMNIT.A
is a PE infector, infects other known files, like IE.  Here's some
info at sophos.com:

http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_from=rss

The OP knows the name of the malware, so he must have submitted a
sample somewhere.

Re: Win32/RAMNIT.A Anyone?




| snip stuff about experienced posters only.

| I come here to learn, and there are some experts here.  The OP
| considers himself an expert and only wants
| talk to experts.  I would say his final approach of wiping and re-
| installing the OS (which he didn't mention),
| but first trying to save .docs, mp3 and other important files, is the
| only solution.  I learned that RAMNIT.A
| is a PE infector, infects other known files, like IE.  Here's some
| info at sophos.com:

|
http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_from =
| rss

| The OP knows the name of the malware, so he must have submitted a
| sample somewhere.

From Dave's first post...
"Does anybody have EXPERIENCE with Win32/RAMNIT.A ?  I'm having a devil of a
time removing it.  The only tool the detects it consistently is MS Security
Essentials, and MSSE keeps counting it and "disinfecting" it."

He didn't submit a sample somewhere, MSE scanned the system, detected it
(Win32/RAMNIT.A ), but MSE failed to full remove and clean the system of it.
Dave also
indicated he tried Avast to no avail.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Win32/RAMNIT.A Anyone?





  | snip stuff about experienced posters only.

  | I come here to learn, and there are some experts here.  The OP
  | considers himself an expert and only wants
  | talk to experts.  I would say his final approach of wiping and re-
  | installing the OS (which he didn't mention),
  | but first trying to save .docs, mp3 and other important files, is =
the
  | only solution.  I learned that RAMNIT.A
  | is a PE infector, infects other known files, like IE.  Here's some
  | info at sophos.com:

  | =
http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.h =
tml?_log_from=3D
  | rss

  | The OP knows the name of the malware, so he must have submitted a
  | sample somewhere.

  From Dave's first post...
  "Does anybody have EXPERIENCE with Win32/RAMNIT.A ?  I'm having a =
devil of a
  time removing it.  The only tool the detects it consistently is MS =
Security
  Essentials, and MSSE keeps counting it and "disinfecting" it."

  He didn't submit a sample somewhere, MSE scanned the system, detected =
it=20
  (Win32/RAMNIT.A ), but MSE failed to full remove and clean the system =
of it.  Dave also=20
  indicated he tried Avast to no avail.

  --=20
  Dave
  http://www.claymania.com/removal-trojan-adware.html
  Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp=20

  Having cast my eye through this post, I think I would have given PrevX =
a go :-)
  ...and having read =
http://www.symantec.com/security_response/writeup.jsp?docid=3D2008-011517 =
-3725-99
   ...I think (seeing as Sophos is armed against it), I'd try Sophos CLS =
from Bart PE cd :-)
  regards, Richard




Re: Win32/RAMNIT.A Anyone?



On 7/27/2010 11:17 PM, RJK wrote:
Quoted text here. Click to load it

       It seems the information I found on this worm is that it
probably hides in the "system volume information" folder that is
"read only" and "hidden" by default. The worm just keeps getting
reinstalled and can't be cleaned unless the permissions are
changed for that folder. The information on this site links to
instructions for cleaning RAMNIT.A.

http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=81059

      This links to information on how to disable "system
restore" in order to remove the infection. It may be possible to
use some offline scanner like BitDefender to remove the worm but
it's better done in Windows.

John


Re: Win32/RAMNIT.A Anyone?




| On 7/27/2010 11:17 PM, RJK wrote:


Quoted text here. Click to load it












|        It seems the information I found on this worm is that it
| probably hides in the "system volume information" folder that is
| "read only" and "hidden" by default. The worm just keeps getting
| reinstalled and can't be cleaned unless the permissions are
| changed for that folder. The information on this site links to
| instructions for cleaning RAMNIT.A.

| http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=81059

|       This links to information on how to disable "system
| restore" in order to remove the infection. It may be possible to
| use some offline scanner like BitDefender to remove the worm but
| it's better done in Windows.

Sorry, you are mis-interpreting the information.

Malware doesn't "hide" in the "system volume information" folder.  That is where
the
System Resore cache resides.  What they are talking about is removing restore
points such
that you won't re-infect the PC if you restore the PC from a restore point that
had made
in an infected condition.

Howver, I have learned that ist is NOT a good idea to dump the System Restore
cache while
cleaning a PC.  It is better to have an infected, working, PC than to have a a
PC that may
be unstable and you can't restore the PC to a stable but infected condition.
Once the PC
is thouroughly cleaned and verified and is stable then you you can dump the
System Restore
cache.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Win32/RAMNIT.A Anyone?



On 7/29/2010 3:24 AM, David H. Lipman wrote:
Quoted text here. Click to load it

      Some malware specifically uses the "system volume
information" folder to reinfect the computer. It will infect
multiple restore points even those that were there before the
particular worm was introduced. I've had some experience with these.

Quoted text here. Click to load it

       This is one reason us PROFESSIONALS do a complete drive
backup before we remove the infection in this way. That way if
something goes wrong, you can always go back to the beginning.

      It's possible to allow writing to the folder in question.
I have cleaned a few computers in this way and I usually find
that the restore points are not worth saving. I've had
absolutely no systems lost due to cleaning out the system
restore points. Never lost one and never needed to use the
backup on these types of infections. I find it better to have a
professional do the malware removal than someone who risks
loosing everything because they're afraid to remove the restore
caches.

John



Re: Win32/RAMNIT.A Anyone?




| On 7/29/2010 3:24 AM, David H. Lipman wrote:

Quoted text here. Click to load it




















|       Some malware specifically uses the "system volume
| information" folder to reinfect the computer. It will infect
| multiple restore points even those that were there before the
| particular worm was introduced. I've had some experience with these.


Quoted text here. Click to load it

|        This is one reason us PROFESSIONALS do a complete drive
| backup before we remove the infection in this way. That way if
| something goes wrong, you can always go back to the beginning.

|       It's possible to allow writing to the folder in question.
| I have cleaned a few computers in this way and I usually find
| that the restore points are not worth saving. I've had
| absolutely no systems lost due to cleaning out the system
| restore points. Never lost one and never needed to use the
| backup on these types of infections. I find it better to have a
| professional do the malware removal than someone who risks
| loosing everything because they're afraid to remove the restore
| caches.

| John


You said...
"Some malware specifically uses the "system volume information" folder to
reinfect the
computer."

Since you also stated "...us PROFESSIONALS...".
What is that malware spaecifically.  You should know it or it should be in your
notes.
I'd like to know what it is you are referring to.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Win32/RAMNIT.A Anyone?



On 7/29/2010 1:40 PM, David H. Lipman wrote:
Quoted text here. Click to load it

      Yes that's exactly what I said. One think I've noticed
from 25 years of seeing malware is that the writers of malware
will use anything and everything to infect a system. They will
make it hard as possible to remove them too.

Quoted text here. Click to load it

      The professional thing to do is make a backup so you can
do what needs to be done to repair the system. I don't usually
hear other professionals say afraid to do something as simple as
removing restore points to repair a system.

Quoted text here. Click to load it

        I don't remember the exact name of the worms and trojans
as it was over a year ago when I removed the last one. There are
so many variants of existing malware and new malware out there.
As for my notes, I don't need notes on specific malware I just
do what it takes to remove whatever it is. My notes deal mostly
with behavior of the malware and what it takes to remove it.
However I still have the scanner logs I did then and I'll look
through them. You should also know that scanners can find
malware and not give it a name because it detects signatures and
behavior. The particular malware may not be in the database as yet.

       You should know there is malware out there that will
trash the registry and it's backup. It will require some sort of
reinstall to get the system back working. I found it very rare
that I need to do a full reformat and reinstall because of
malware. Some malware will also corrupt system files and when
you remove them with scanners, it will make the installation
unbootable. This is yet another reason professionals will make a
backup if possible before removing infections.

      I know there are a lot of fly-by-night computer repair
people who are just there to do a quick fix and get paid, I find
myself cleaning up after a lot of them.

John


Site Timeline