Analysis by: Erika Mendoza
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: File infector

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel: Propagates via removable drives, Infects files

This file infector opens a hidden instance of iexplore.exe and connects to remote sites to download and execute possible malicious file(s).

It is capable of injecting a malicious VBScript to HTML files. Infected HTML files are detected as VBS_RAMNIT.SMC.

It uses an icon similar to FAKEAV malware.

This file infector modifies registry entries to enable its automatic execution at every system startup.

It infects by appending its code to target host files.

It drops copies of itself in all removable drives. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

  TECHNICAL DETAILS

File Size: 60,416 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 14 Apr 2011
Payload: Downloads files

Installation

This file infector drops the following copies of itself into the affected system:

    Autostart Technique

    This file infector drops the following files:

    • %Program Files%\INTERNET EXPLORER\dmlconf.dat - non-malicious component
    • %Program Files%\Microsoft\DesktopLayer.exe - copy of itself

    (Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)

    It modifies the following registry entries to ensure it automatic execution at every system startup:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows NT\CurrentVersion\Winlogon
    Userinit = %system%\userinit.exe,,%Program Files%\microsoft\desktoplayer.exe

    (Note: The default value data of the said registry entry is %system%\userinit.exe,.)

    File Infection

    This file infector infects the following file types:

    • dll
    • exe
    • HTML

    It infects by appending its code to target host files.

    Propagation

    This file infector creates the following folders in all removable drives:

    • RECYCLER

    It drops copies of itself in all removable drives.

    It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

    It modifies the contents of an existing AUTORUN.INF file to automatically execute its dropped copy. It does this by adding the following strings in the .INF file:

    • [autorun]
    • action=Open
    • icon=%WinDir%\system32\shell32.dll,4
    • shellexecute=.\RECYCLER\S-6-7-58-6558245640-1513147020-264120182-3823\{random}.exe
    • shell\explore\command=.\RECYCLER\S-6-7-58-6558245640-1513147020-264120182-3823\{random}.exe
    • USEAUTOPLAY=1
    • shell\Open\command=.\RECYCLER\S-6-7-58-6558245640-1513147020-264120182-3823\{random}.exe

    NOTES:

    It opens a hidden instance of iexplore.exe and connects to remote sites to download and execute possible malicious file(s).

    It is capable of injecting a malicious VBScript to HTML files. Infected HTML files are detected as VBS_RAMNIT.SMC.

    It uses an icon similar to FAKEAV malware.

      SOLUTION

    Minimum Scan Engine: 8.900

    Step 1

    For Windows ME and XP users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

    Step 2

    Restart in Safe Mode

    [ Learn More ]

    Step 3

    Restore this modified registry value

    [ Learn More ]

    Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer"s registry.

    • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
      • From: Userinit=%System%\userinit.exe,,%Program Files%\microsoft\desktoplayer.exe
        To: %System%\userinit.exe

    Step 4

    Search and delete this file

    [ Learn More ]
    There may be some component files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden files and folders in the search result. %Program Files%\INTERNET EXPLORER\dmlconf.dat

    Step 5

    Search and delete AUTORUN.INF files created by PE_RAMNIT.H-O that contain these strings

    [ Learn More ]
    [autorun]
    action=Open
    icon=%WinDir%\system32\shell32.dll,4
    shellexecute=.\RECYCLER\S-6-7-58-6558245640-1513147020-264120182-3823\{random}.exe
    shell\explore\command=.\RECYCLER\S-6-7-58-6558245640-1513147020-264120182-3823\{random}.exe
    USEAUTOPLAY=1
    shell\Open\command=.\RECYCLER\S-6-7-58-6558245640-1513147020-264120182-3823\{random}.exe

    Step 6

    Search and delete these folders

    [ Learn More ]
    Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result. {ramovable drive}\RECYCLER

    Step 7

    Scan your computer with your Trend Micro product to clean files detected as PE_RAMNIT.H-O If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

    Step 8

    Scan your computer with your Trend Micro product to delete files detected as PE_RAMNIT.H-O If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


    Did this description help? Tell us how we did.