PE_RAMNIT.KC

 Analysis by: Erika Bianca Mendoza

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: File infector

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW


This is the Trend Micro detection for files infected by:

  • PE_RAMNIT.KC-O

  TECHNICAL DETAILS

File Size:

241,664 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

10 Oct 2011

File Infection

This is the Trend Micro detection for files infected by:

  • PE_RAMNIT.KC-O

NOTES:

The files detected as PE_RAMNIT.KC contain additional section, which is responsible for dropping and executing the following:

  • PE_RAMNIT.KC-O

This is saved as %Current Folder%\{malware name}mgr.exe.

As a result, the malicious routines of the said malware are also exhibited on the system.

  SOLUTION

Minimum Scan Engine:

9.200

FIRST VSAPI PATTERN FILE:

8.490.01

FIRST VSAPI PATTERN DATE:

11 Oct 2011

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Remove the malware/grayware file dropped/downloaded by PE_RAMNIT.KC

     PE_RAMNIT.KC-O

Step 3

Scan your computer with your Trend Micro product to clean files detected as PE_RAMNIT.KC. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.