WORM_RAMNIT
Nimnul, Cosmu
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
RAMNIT is a multi-component malware that infects .DLL, .EXE, and HTML files. This malware family is known to propagate via removable drives.
RAMNIT steals sensitive information such as saved FTP credentials and browser cookies. It does this routine by querying the infected system's registry information to get the user's default browser.
It may also open ports to allow backdoor connections to the affected computer. RAMNIT then waits for instructions from a remote attacker.
TECHNICAL DETAILS
Installation
This worm drops the following files:
- %Application Data%\{random}\{random}.exe
- %Program Files%\Microsoft\WaterMark.exe
- %Program Files%\{random}\{random}.exe
- %User Startup%\{random}.exe
- %User Temp%\{random}.exe
- {folder where malware is located}\{malware name}mgr.exe
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).. %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)
It drops the following file(s)/component(s):
- %Application Data%\{random}.log
- %Program Files%\Internet Explorer\dmlconf.dat
- %User Profile%\{random}.log
- %User Temp%\{random}.sys
- {drive letter}:\Copy of {number}.lnk
- {drive letter}:\RECYCLER\{SID}\{random}.cpl
- {drive letter}:\autorun.inf
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)
It creates the following folders:
- %Application Data%\{random}
- %Program Files%\{random}
- {drive letter}:\RECYCLER
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)
Autostart Technique
This worm registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Micorsoft Windows Service
Type = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Micorsoft Windows Service
Start = "4"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Micorsoft Windows Service
ErrorControl = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Micorsoft Windows Service
DisplayName = "Micorsoft Windows Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Micorsoft Windows Service
DeleteFlag = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Micorsoft Windows Service
ImagePath = "%Application Data%\{random}\{random}.sys"
It adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = "%Application Data%\{random}\{random}.exe"
Other System Modifications
This worm adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%Program Files%\Internet Explorer\IEXPLORE.EXE = "%Program Files%\Internet Explorer\IEXPLORE.EXE:*:Enabled:internet Explorer"
It modifies the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe,%Application Data%\{random}\{random}.exe"
(Note: The default value data of the said registry entry is %System%\userinit.exe,.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe,%Program Files%\{random}\{random}.exe"
(Note: The default value data of the said registry entry is %System%\userinit.exe,.)
It deletes the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Network
Other Details
This worm connects to the following possibly malicious URL:
- {BLOCKED}.{BLOCKED}.6.203