Win32/RAMNIT.A Anyone? - Page 11

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: Win32/RAMNIT.A Anyone?





Quoted text here. Click to load it

| What kind of sample?  A sample of the malware?  I'm loathe to provide that; I
| don't want to be responsible for infecting any computers.  I've already given
| some filenames and directories.

< snip >

Samples that I "did" receive from someone who remain anonymous.

http://www.virustotal.com/analisis/ded3dae323a909c4752fa135de72cdc00ce0da3d1a5fd715fe536105a4da8cac-1280356012

http://www.virustotal.com/analisis/08b348341fb2a24d0ddf765afe7fedb171cdd7ab9dcfa5aab5dc6bfa3b2ce797-1280350307



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Win32/RAMNIT.A Anyone?



David H. Lipman wrote:
Quoted text here. Click to load it

My point was to use the experts-exchange site to get help if the answers
already posted don't solve the problem.  They are amazingly helpful with
providing assistance (for free) to people who follow the recommended
steps (such as running hijackthis and posting the logs etc.).  I've
found the answer to solving several pesky virus/worm problems simply by
searching the experts-exchange site without having to post my own query,
but if I couldn't find the answer in the archives then I wouldn't
hesitate to post.

jc

Re: Win32/RAMNIT.A Anyone?




| David H. Lipman wrote:

Quoted text here. Click to load it





| My point was to use the experts-exchange site to get help if the answers
| already posted don't solve the problem.  They are amazingly helpful with
| providing assistance (for free) to people who follow the recommended
| steps (such as running hijackthis and posting the logs etc.).  I've
| found the answer to solving several pesky virus/worm problems simply by
| searching the experts-exchange site without having to post my own query,
| but if I couldn't find the answer in the archives then I wouldn't
| hesitate to post.

Ant defined the !HTML suffix (and !INF) as being modified by the Ramnit.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Win32/RAMNIT.A Anyone?



Quoted text here. Click to load it

Seems sort of like the old DAM suffix - but instead of being damaged,
these files were modified to act as droppers. Not actual viral
infection, but perhaps infection in the furtherance of the worm. Another
write-up I saw mentioned infection of portable executable files, again
not with copies of itself like a virus, but rather to add dropper
functionality.

So, I'm guessing it could be polymorphic in the way it infects PEs and
the symptoms David Kaye experienced was because some were being missed
by the current definitions supplied for the AV tools he used.

Either that, or there is something *new* about the one he had.



Re: Win32/RAMNIT.A Anyone?





Quoted text here. Click to load it








| Seems sort of like the old DAM suffix - but instead of being damaged,
| these files were modified to act as droppers. Not actual viral
| infection, but perhaps infection in the furtherance of the worm. Another
| write-up I saw mentioned infection of portable executable files, again
| not with copies of itself like a virus, but rather to add dropper
| functionality.

| So, I'm guessing it could be polymorphic in the way it infects PEs and
| the symptoms David Kaye experienced was because some were being missed
| by the current definitions supplied for the AV tools he used.

| Either that, or there is something *new* about the one he had.


Maybe it is like the Virut in that it modified HTML files in a way that when
viewed it
could cause you to download and re-infect the computer.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Win32/RAMNIT.A Anyone?



Quoted text here. Click to load it

That's what I gathered. Interesting it not being viral with respect to
exe infection though (if that is indeed the case).



Re: Win32/RAMNIT.A Anyone?





David,

READ & RUN ME FIRST. Malware Removal Guide
http://forums.majorgeeks.com/showthread.php?t=35407

Haven't yet found the beastie this procedure wouldn't clean w/o
reformatting a drive.

If I have time, I go though with it.  if It's more expedient to wipe
the drive I just harvest data, and reinstall the OS. But I prefer the
'thrill of the hunt' so to speak.


TBerk


Re: Win32/RAMNIT.A Anyone?




Quoted text here. Click to load it

I didn't have to reformat; I reinstalled using the file overwrite method (the
one that doesn't destroy the registry) after running several rootkit removers
and being certain there were no rootkits.  

Ramnit destroyed over 4000 executables (exe and dll), so it was inevitable
that I'd have to reinstall the OS.  Project completed.  The computer runs like
new.  


Quoted text here. Click to load it

When one does this professionally it's not the thrill of the hunt but keeping
the client as happy as possible in the least amount of time.  This means,
disturbing as little of their experience as possible -- keeping their
wallpaper and all their other user interface experiences as close as to what
they were before infection.  

In over 8 years doing this fulltime I've only had to reformat maybe 4 times.  
I've had to reinstall the OS about 10 times.  But this one really caught me by
surprise.


Re: Win32/RAMNIT.A Anyone?



On Jul 29, 12:46=A0am, sfdavidka...@yahoo.com (David Kaye) wrote:
<snip>
Quoted text here. Click to load it

Lets see...


CP/M
8" floppy disks
5 1/4" floppies, but with Hard Sector holes cut in them
Data Storage on Cassette Tape
Soldering together your own Serial Cable to make sure you got the
Handshaking right.

Eight years, heh heh.  (Not flam'n,) just ruminating nostalgically.

Hell, 'the Cuckoo's Egg' for that matter.



TBerk
Now I want to pop some corn and go watch a 'Sneakers' & 'Hackers'
double bill...

Re: Win32/RAMNIT.A Anyone?




| On Jul 29, 12:46 am, sfdavidka...@yahoo.com (David Kaye) wrote:
| <snip>
Quoted text here. Click to load it

| Lets see...


| CP/M
| 8" floppy disks
| 5 1/4" floppies, but with Hard Sector holes cut in them
| Data Storage on Cassette Tape
| Soldering together your own Serial Cable to make sure you got the
| Handshaking right.

| Eight years, heh heh.  (Not flam'n,) just ruminating nostalgically.

| Hell, 'the Cuckoo's Egg' for that matter.


:-)


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Win32/RAMNIT.A Anyone?





| On Jul 29, 12:46 am, sfdavidka...@yahoo.com (David Kaye) wrote:
| <snip>
Quoted text here. Click to load it

| Lets see...


| CP/M
| 8" floppy disks
| 5 1/4" floppies, but with Hard Sector holes cut in them
| Data Storage on Cassette Tape
| Soldering together your own Serial Cable to make sure you got the
| Handshaking right.

| Eight years, heh heh.  (Not flam'n,) just ruminating nostalgically.

| Hell, 'the Cuckoo's Egg' for that matter.


:-)


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


I've got a tape streamer in a jjiffy bag, floating around in a plastic sack
of old spares, out in the garage if you want it :-)
...and the ISA interface card and two or three TR3 tapes to go with it !!

....whilst looking for a picture of it, I found :-
http://cgi.ebay.co.uk/SEAGATE-CTT3200I-F-CTT3200R-F-TAPE-DRIVE-fbc1a8-/350250404498
...same as mine :-)

...I wonder if the vendor will ever sell it ?

I do remember that the chap that bought it paid around 400 if memory serves
!

regards, Richard
















Re: Win32/RAMNIT.A Anyone?






| On Jul 29, 12:46 am, sfdavidka...@yahoo.com (David Kaye) wrote:
| <snip>
Quoted text here. Click to load it

| Lets see...


| CP/M
| 8" floppy disks
| 5 1/4" floppies, but with Hard Sector holes cut in them
| Data Storage on Cassette Tape
| Soldering together your own Serial Cable to make sure you got the
| Handshaking right.

| Eight years, heh heh.  (Not flam'n,) just ruminating nostalgically.

| Hell, 'the Cuckoo's Egg' for that matter.


:-)


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


I've got a tape streamer in a jjiffy bag, floating around in a plastic sack
of old spares, out in the garage if you want it :-)
...and the ISA interface card and two or three TR3 tapes to go with it !!

....whilst looking for a picture of it, I found :-
http://cgi.ebay.co.uk/SEAGATE-CTT3200I-F-CTT3200R-F-TAPE-DRIVE-fbc1a8-/350250404498
...same as mine :-)

...I wonder if the vendor will ever sell it ?

I do remember that the chap that bought it paid around 400 if memory serves
!

regards, Richard

ps re: CP/M  ....LocoSript (word processing application), was quite popular
in its' time, and many years ago, a brief acquiantance and his wife, (many
years ago), used to make quite a nice living, traveling around the UK doing
training courses in it !








Re: Win32/RAMNIT.A Anyone?




Quoted text here. Click to load it

Which did you find to be more realistic for it's time? Sneakers or
Hackers?
 



--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ."  - author unknown.

Re: Win32/RAMNIT.A Anyone?



Quoted text here. Click to load it

Sneakers, (I'm tempted to add "of course" to that).

'Hacker's was aimed at a younger audience, was 'hip' and 'kool' and so
on*. 'Sneakers on the other hand, while still making concessions to
Hollywood and the necessary evils of getting a story tot he screen,
was sly about dropping insider wink-wink knowledge and wasn't afraid
to talk over the head of the audience, a bit, for what we might take
as authenticity.

Another difference is that 'Hackers' was ladened w/ trying to describe
hacking  a system with a graphical interface that looked like
Microsoft Flight Simulator, "but better".

*(Hackers was also infamous for the young Angelina Jolie 'dream
sequence...).  hubba, hubba.  <--- (gratuitous, rhetorical reference
and requisite response complete.)

Of the two, 'Hackers' is more silly fun & 'Sneakers' is more mature,
serious fun. I make that observation not just based on the ave. age of
the cast btw.

If you care to think about it, both raise interesting questions about
Security vs Freedom, (and Responsibility for that matter).


TBerk


Re: Win32/RAMNIT.A Anyone?




Quoted text here. Click to load it

Hehehe.. And your opinion of wargames?
 
Quoted text here. Click to load it

Yep.. that's true enough.
 



--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ."  - author unknown.

Re: Win32/RAMNIT.A Anyone?





Quoted text here. Click to load it

Here is the other half of the double bill-

http://www.imdb.com/title/tt0091472 /


TBerk

Re: Win32/RAMNIT.A Anyone?



c98c4ae0bd66@a4g2000prm.googlegroups.com:

Quoted text here. Click to load it

Yea, I didn't care much for that one.


--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ."  - author unknown.

Re: Win32/RAMNIT.A Anyone?



On 7/26/2010 9:51 PM, David Kaye wrote:
Quoted text here. Click to load it

       You may want to try turning off "system restore" in
"system properties". Then reboot. You may also want to make
"system volume information" accessible to your malware scanner.
Then do a scan of that folder. The default setting is "read
only" and "hidden" so if it can be scanned the malware won't be
removed. The malware can reboot that last restore point over and
over and reinfecting your system over and over. A Linux based
scanner can be a way around the permissions but it's probably
better to do the scans within Windows.

John

Re: Win32/RAMNIT.A Anyone?



What I do with this class of virus:
1. Turn off System Restore and delete all restore points.
2. Note the names and locations of infected files.
3. Boot from something like Ultimate Boot CD
   <http://www.ultimatebootcd.com/ , and delete the infections.
Turn System Restore back on when disinfected.

On Tue, 27 Jul 2010 04:51:56 GMT, in
Kaye) wrote:

Quoted text here. Click to load it

--
John            FAQ for Wireless Internet: <http://wireless.navas.us
                FAQ for Wi-Fi:  <http://wireless.navas.us/wiki/Wi-Fi
           Wi-Fi How To:  <http://wireless.navas.us/wiki/Wi-Fi_HowTo
Fixes to Wi-Fi Problems:  <http://wireless.navas.us/wiki/Wi-Fi_Fixes

Re: Win32/RAMNIT.A Anyone?



What about the infected programs? That is, what about the preinfected
versions?
Quoted text here. Click to load it



Site Timeline