PE_RAMNIT.KC-O

This file infector arrives via removable drives. It may be unknowingly downloaded by a user while visiting malicious websites.

It infects by appending its code to target host files.

It drops copies of itself into all the removable drives connected to an affected system. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

Arrival Details

This file infector arrives via removable drives.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This file infector drops the following files:

• %User Temp%\{random}.sys - RTKT_RAMNIT.KC
• [drive]\RECYCLER\{SID}\{random}.cpl - TROJ_RAMNIT.KC
• [drive]\Copy of {number}.lnk - link to TROJ_RAMNIT.KC

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It drops the following non-malicious files:

• %Application Data%\{random}.log

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It drops the following copies of itself into the affected system:

• %Application Data%\{random}\{randomname}.exe
• %User Temp%\{random}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It creates the following folders:

• %Application Data%\{random}
• [drive]\RECYCLER

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• {GUID}

Autostart Technique

This file infector adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = %Application Data%\{random}\{random name}.exe

It registers its dropped component as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Micorsoft Windows Service
Type = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Micorsoft Windows Service
Start = 4

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Micorsoft Windows Service
ErrorControl = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Micorsoft Windows Service
DisplayName = Micorsoft Windows Service

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Micorsoft Windows Service
DeleteFlag = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Micorsoft Windows Service
ImagePath = %Application Data%\{random}\{random name}.sys

Other System Modifications

This file infector modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = %System%\userinit.exe,%Application Data%\{random}\{random name}.exe

File Infection

This file infector infects the following files:

• .EXE
• .DLL

It infects by appending its code to target host files.

Propagation

This file infector drops copies of itself into all the removable drives connected to an affected system.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

{garbage}
[autorun]
action=Open
icon=%WinDir%\system32\shell32.dll,4
shellexecute={malware path and filename}
shell\explore\command={malware path and filename}
USEAUTOPLAY=1
shell\Open\command={malware path and filename}
{garbage}

NOTES:

It deletes the following registry keys to restrict the user from restarting in safe mode:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network

It queries the registry below to check the system's default browser:

HKEY_CLASSES_ROOT\http\shell\open\command

It then creates an instance of this browser process and two svchost.exe processes. This is where the file infector injects its code.

It may also obtain information from cookies of the following browsers:

• Chrome
• Firefox
• Internet Explorer
• Opera
• Safari

It then attempts to establish a connection to the following IP via port 443:

• {BLOCKED}.{BLOCKED}.6.203