Malware W32/Ramnit created using the C programming language is compressed using UPX. File malware has characteristics as follows:
* Measuring 105 kb
* Type the file "Application '
* Using the icon "music folder"
* Extension "exe"
W32/Ramnit When run, it will inject some Windows system files are:
C: \ WINDOWS \ system32 \ lsass.exe
* Measuring 105 kb
* Type the file "Application '
* Using the icon "music folder"
* Extension "exe"
W32/Ramnit When run, it will inject some Windows system files are:
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ system32 \ services.exe
C: \ Program Files \ Internet Explorer \ Iexplore.exe
If connected to the internet, W32/Ramnit will download some files and folders malware as follows:
C: \ WINDOWS \ system32 \ services.exe
C: \ Program Files \ Internet Explorer \ Iexplore.exe
If connected to the internet, W32/Ramnit will download some files and folders malware as follows:
C:\Documents and Settings\%user%\Local Settings\Temp\[angka].tmp
C:\Documents and Settings\%user%\Local Settings\Temp\explorer.dat
C:\Documents and Settings\%user%\Local Settings\Temp\winlogon.dat
C:\Documents and Settings\%user%\Local Settings\Temp\[nama_acak].exe
C:\Documents and Settings\%user%\Start Menu\Programs\[nama_acak].exe
C:\Program Files\Intenet Explorer\complete.dat
C:\Program Files\Intenet Explorer\dmlconf.dat
C:\Program Files\win\[angka_acak].exe
C:\Program Files\qwe
C:\WINDOWS\[nama_acak].exe
C:\WINDOWS\System32\[nama_acak].dll
C:\WINDOWS\System32\[nama&angka_acak].dll
C:\WINDOWS\Temp\[angka].tmp
C:\Documents and Settings\%user%\Local Settings\Temp\explorer.dat
C:\Documents and Settings\%user%\Local Settings\Temp\winlogon.dat
C:\Documents and Settings\%user%\Local Settings\Temp\[nama_acak].exe
C:\Documents and Settings\%user%\Start Menu\Programs\[nama_acak].exe
C:\Program Files\Intenet Explorer\complete.dat
C:\Program Files\Intenet Explorer\dmlconf.dat
C:\Program Files\win\[angka_acak].exe
C:\Program Files\qwe
C:\WINDOWS\[nama_acak].exe
C:\WINDOWS\System32\[nama_acak].dll
C:\WINDOWS\System32\[nama&angka_acak].dll
C:\WINDOWS\Temp\[angka].tmp
In addition, W32/Ramnit perform following injection of multiple files (if any) are:
C:\contacts.html
C:\Inetpub\wwwroot\index.html
C:\Program Files\Common Files\designer\MSADDNDR.DLL
C:\Program Files\Common Files\designer\MSHTMPGD.DLL
C:\Program Files\Common Files\designer\MSHTMPGR.DLL
C:\Program Files\Common Files\System\ado\MDACReadme.htm
C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL
C:\Program Files\MSN\MSNCoreFiles\OOBE\obelog.dll
C:\Program Files\MSN\MSNCoreFiles\OOBE\obemetal.dll
C:\Program Files\MSN\MSNCoreFiles\OOBE\obepopc.dll
C:\Program Files\MSN\MSNIA\custdial.dll
C:\Program Files\MSN\MSNIA\msniasvc.exe
C:\Inetpub\wwwroot\index.html
C:\Program Files\Common Files\designer\MSADDNDR.DLL
C:\Program Files\Common Files\designer\MSHTMPGD.DLL
C:\Program Files\Common Files\designer\MSHTMPGR.DLL
C:\Program Files\Common Files\System\ado\MDACReadme.htm
C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL
C:\Program Files\MSN\MSNCoreFiles\OOBE\obelog.dll
C:\Program Files\MSN\MSNCoreFiles\OOBE\obemetal.dll
C:\Program Files\MSN\MSNCoreFiles\OOBE\obepopc.dll
C:\Program Files\MSN\MSNIA\custdial.dll
C:\Program Files\MSN\MSNIA\msniasvc.exe
C:\Program Files\MSN\MSNIA\prestp.exe
C:\Program Files\MSN\MsnInstaller\iasvcstb.dll
C:\Program Files\MSN\MsnInstaller\msdbxi.dll
C:\Program Files\MSN\MsnInstaller\msninst.dll
C:\Program Files\MSN\MsnInstaller\msninst.exe
C:\Program Files\MSN\MsnInstaller\msnsign.dll
C:\Program Files\NetMeeting\netmeet.htm
C:\Program Files\MSN\MsnInstaller\iasvcstb.dll
C:\Program Files\MSN\MsnInstaller\msdbxi.dll
C:\Program Files\MSN\MsnInstaller\msninst.dll
C:\Program Files\MSN\MsnInstaller\msninst.exe
C:\Program Files\MSN\MsnInstaller\msnsign.dll
C:\Program Files\NetMeeting\netmeet.htm
Also on removable disks / drives will create several files:
autorun.inf
Copy of Shortcut to (1).lnk
Copy of Shortcut to (2).lnk
Copy of Shortcut to (3).lnk
Copy of Shortcut to (4).lnk
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak1].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak2].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak3].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak4].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak5].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak6].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak7].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak8].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak9].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak10].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak11].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak1].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak2].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak3].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak4].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak5].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak6].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak7].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak8].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak9].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak10].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak11].cpl
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak1].exe
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak2].exe
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak3].exe
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak4].exe
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak5].exe
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak6].exe
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak7].exe
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak1].cpl
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak2].cpl
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak3].cpl
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak4].cpl
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak5].cpl
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak6].cpl
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak7].cpl
Copy of Shortcut to (1).lnk
Copy of Shortcut to (2).lnk
Copy of Shortcut to (3).lnk
Copy of Shortcut to (4).lnk
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak1].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak2].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak3].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak4].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak5].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak6].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak7].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak8].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak9].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak10].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak11].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak1].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak2].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak3].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak4].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak5].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak6].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak7].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak8].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak9].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak10].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak11].cpl
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak1].exe
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak2].exe
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak3].exe
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak4].exe
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak5].exe
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak6].exe
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak7].exe
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak1].cpl
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak2].cpl
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak3].cpl
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak4].cpl
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak5].cpl
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak6].cpl
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak7].cpl
And on networks that use mapping drives, trying to inject some files that have the following names:
- Blank.htm
- Citrus Punch.htm
- Clear Day.htm
- Fiesta.htm
- Ivy.htm
- Leaves.htm
- Maize.htm
- Nature.htm
- Network Blitz.htm
- Pie Charts.htm
- Sunflower.htm
- Sweets.htm
- Technical.htm
Registry Modifications
Some registry modifications made by the worm Stuxnet are as follows:
Some registry modifications made by the worm Stuxnet are as follows:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[nama_acak] = C:\Documents and Settings\%user%\Local Settings\Temp\[nama_acak].exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_60DFFE60
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_60DFFE60\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_60DFFE60\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_60DFFE60
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_60DFFE60\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_60DFFE60\0000\Control
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\international
[nama_acak] = C:\Documents and Settings\%user%\Local Settings\Temp\[nama_acak].exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_60DFFE60
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_60DFFE60\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_60DFFE60\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_60DFFE60
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_60DFFE60\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_60DFFE60\0000\Control
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\international
Delete registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRes tore]
DisableSR = 0x00000001
DisableSR = 0x00000001
Edit Registry
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
CurrentLevel =
1601 =
CurrentLevel =
1601 =
0 comments:
Post a Comment