PE_RAMNIT.RE-O

This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It is injected into all running processes to remain memory resident.

It deletes registry keys related to antivirus programs. Doing this allows this malware to execute its routines without being detected by installed antivirus programs.

It runs certain commands that it receives remotely from a malicious user. Doing this puts the affected computer and information found on the computer at greater risk. It connects to a website to send and receive information.

Arrival Details

This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This file infector drops the following copies of itself into the affected system:

• %User Temp%\{random filename 1}.exe
• %AppDataLocal%\{random folder name}\{random filename 2}.exe
• %User Startup%\{random filename 3}.exe

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Startup% is the current user's Startup folder, which is usually C:\Documents and Settings\{user}\Start Menu\Programs\Startup on Windows 2000 and XP, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows Vista, 7, and 8.)

It drops the following files:

• %AppDataLocal%\{random folder name}\px{number}.tmp - deleted afterwards
• %User Temp%\~TM{numbers}.tmp – deleted afterwards

(Note: %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It adds the following processes:

• svchost.exe

It creates the following folders:

• %AppDataLocal%\{random folder name}

(Note: %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It is injected into all running processes to remain memory resident.

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• {GUID}

Autostart Technique

This file infector adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random filename 2} = "%AppDataLocal%\{random folder name}\{random filename 2}.exe"

It modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe,,%AppDataLocal%\{random folder name}\{random filename 2}.exe"

(Note: The default value data of the said registry entry is "%System%\userinit.exe,".)

It drops the following file(s) in the Windows User Startup folder to enable its automatic execution at every system startup:

• %User Startup%\{random filename 3}.exe

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Documents and Settings\{user}\Start Menu\Programs\Startup on Windows 2000 and XP, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows Vista, 7, and 8.)

Other System Modifications

This file infector deletes the following files:

• %User Temp%\{random filename 1}.exe:Zone.Identifier

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion
jfghdug_ooetvtgk = "TRUE"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UacDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusOverride = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallOverride = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdatesDisableNotify = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DoNotAllowExceptions = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DisableNotifications = "1"

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv
Start = "4"

(Note: The default value data of the said registry entry is "2".)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\MpsSvc
Start = "4"

(Note: The default value data of the said registry entry is "2".)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\WinDefend
Start = "4"

(Note: The default value data of the said registry entry is "2".)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
Start = "4"

(Note: The default value data of the said registry entry is "2".)

It deletes the following registry keys related to antivirus and security applications:

HKEY_LOCAL_MACHINE\Microsoft\Windows\
CurrentVersion\Run
Windows Defender = "{windows defender path}"

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot

File Infection

This file infector infects the following file types:

• EXE
• DLL

It infects the following file types in shared networks to ensure its propagation:

• EXE
• DLL

Backdoor Routine

This file infector executes the following command(s) from a remote malicious user:

• Download and execute files
• Capture screenshots
• Update itself
• Retrieve stolen cookies
• Remove cookies
• Send stolen information
• Shut Down Operating System

It connects to the following websites to send and receive information:

• https://{random generated domain}.com

Information Theft

This file infector attempts to steal stored account information used in the following installed File Transfer Protocol (FTP) clients or file manager software:

• Windows Total commander
• WS FTP
• Cute FTP
• FlashXp
• FileZilla
• FtpCommander
• BulletproofFTP
• SmartFtp
• TurboFtp
• FFFtp
• Coffee cup ftp
• Core ftp
• FtpExplorer
• Frigate 3
• WebSitePublisher
• ClassicFTP
• Fling
• SoftFx FTP
• Directory opus
• LeapFtp
• WinScp
• 32bit FTP
• FtpControl
• NetDrive

Stolen Information

This file infector saves the stolen information in the following file:

• %All Users Profile%\Application Data\{random filename 4}.log
• %AppDataLocal%\{random filename 5}.log - number of logs varies, contain encrypted data

(Note: %All Users Profile% is the All Users folder, where it usually is C:\Documents and Settings\All Users on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Other Details

This file infector connects to the following URL(s) to check for an Internet connection:

• google.com
• bing.com
• yahoo.com

It does the following:

• It steals cookies from the following applications:
  
  • Google Chrome
  • Apple Safari
  • Mozilla Firefox
  • Macromedia Flash Player
  • Opera
  • Internet Explorer
  
  
• It steals important banking information by injecting malicious codes to bank webpages with URLs containing any of the following:
  
  • https://ibanking.banksa.com.au/ibank/loginPage*
  • https://ibanking.banksa.com.au/ibank/logonAction*
  • https://ibanking.banksa.com.au/ibank/myInformationLanding*
  • https://ibanking.banksa.com.au/ibank/viewAccountPortfolio*
  • https://ibanking.banksa.com.au/ibank/editContactDetails*
  • *etrade.com*
  • *chase.com*
  • *onlinecreditcenter6.com/consumergen*
  • *53.com*
  • *americanexpress.com*
  
  
• It terminates the following Antivirus applications:
  
  • AVG Antivirus 2013
  • Avast
  • ESET Nod32 Antivirus
  • Norton Antivirus
  • Bitdefender
  
  
• It queries the registry below to check the system's default browser:
  
  • HKEY_CLASSES_ROOT\http\shell\open\command
  
  
• It takes advantage of the following software vulnerabilities to perform privilege escalation:
  
  • Windows privilege Escalation Vulnerability (CVE-2014-4113)
  
  
• Files infected by this malware are detected as PE_RAMNIT.SM.

NOTES:

It does not have rootkit capabilities.