Win32/RAMNIT.A Anyone?
in [Viruses]
|
From: FromTheRafters on 27 Jul 2010 22:38 "David Kaye" <sfdavidkaye2(a)yahoo.com> wrote in message news:i2nvud$mfo$4(a)news.eternal-september.org... > "FromTheRafters" <erratic(a)nomail.afraid.org> wrote: > >>It's a shame he couldn't provide you with a sample. His description of >>symptoms doesn't exactly match up with what this malware is/does. This >>could be new malware worm dropping ramnit.a as it finds new systems. > > What kind of sample? A sample of the malware? I'm loathe to provide > that; I > don't want to be responsible for infecting any computers. I've > already given > some filenames and directories. Yes, it's clear you have some nasty malware running. It looks like lots of it goes undetected except the noted ramnit.a. > But regardless of what names I provide, there is still something being > launched that I'm unaware of that is rebuilding the files I see. If I understood the sources I've read, this malware modifies executable files with the effect of making them "droppers". It could be a new worm has now adopted that function and you are seeing detections of the modified files but not the program that's modifying them. > As > previously stated, I've removed the HD, scanned it for rootkits and > malware > and reinstalled it and the stuff comes back. > > Well, folks, thanks anyway. I'm just going to reinstall Windows, > something I > seldom have to do. It's got me beat and I can't spend any more time > on this > issue. I'm backed up in work again. You were probably doomed from the get-go to have to flatten and rebuild. Too many unknowns.
From: TBerk on 27 Jul 2010 22:55 David, READ & RUN ME FIRST. Malware Removal Guide http://forums.majorgeeks.com/showthread.php?t=35407 Haven't yet found the beastie this procedure wouldn't clean w/o reformatting a drive. If I have time, I go though with it. if It's more expedient to wipe the drive I just harvest data, and reinstall the OS. But I prefer the 'thrill of the hunt' so to speak. TBerk
From: Buffalo on 27 Jul 2010 23:09 David Kaye wrote: > Roy <aa4re(a)aa4re.ampr.org> wrote: > >> A friend of mine that does virus removal as part of his business >> swears by MalwareBytes > > I do this professionally as well. I asked *specifically* for > comments from people who have *experience* with this threat. I used > MalwareBytes Antimalware several times including the complete disk > scan for 2 1/2 hours. It did not detect anything. > > Again, I'm interested in hearing only from people who have > *experience* with Win32.Ramnit.A > > Thank you. Well, have you tried PC Butts' Remove-it software? Whee Haw!!! Buffalo
From: RJK on 28 Jul 2010 02:17 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:i2o47d0214h(a)news2.newsguy.com... From: "russg" <russgilb(a)sbcglobal.net> | snip stuff about experienced posters only. | I come here to learn, and there are some experts here. The OP | considers himself an expert and only wants | talk to experts. I would say his final approach of wiping and re- | installing the OS (which he didn't mention), | but first trying to save .docs, mp3 and other important files, is the | only solution. I learned that RAMNIT.A | is a PE infector, infects other known files, like IE. Here's some | info at sophos.com: | http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_from= | rss | The OP knows the name of the malware, so he must have submitted a | sample somewhere. From Dave's first post... "Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm having a devil of a time removing it. The only tool the detects it consistently is MS Security Essentials, and MSSE keeps counting it and "disinfecting" it." He didn't submit a sample somewhere, MSE scanned the system, detected it (Win32/RAMNIT.A ), but MSE failed to full remove and clean the system of it. Dave also indicated he tried Avast to no avail. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Having cast my eye through this post, I think I would have given PrevX a go :-) ...and having read http://www.symantec.com/security_response/writeup.jsp?docid=2008-011517-3725-99 ...I think (seeing as Sophos is armed against it), I'd try Sophos CLS from Bart PE cd :-) regards, Richard
From: John Slade on 28 Jul 2010 03:16
On 7/26/2010 9:51 PM, David Kaye wrote: > Sorry about the crosspost to ba.internet, but I know there are malware experts > out there. > > Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm having a devil of a > time removing it. The only tool the detects it consistently is MS Security > Essentials, and MSSE keeps counting it and "disinfecting" it. > > I'm not sure if it's a virus or a worm. MSSE says it's a virus, but I can't > figure out what's launching it. > > I have eliminated one rootkit and subsequent scans show no more rootkits. > This thing has dropped startup payloads into the StartUp folder, into the Run > keys, into Prefetch, and it masquerades as everything from random 4-letter > clusters to names like "Microsoft Suite", etc. > > It also captures the date when Windows was first installed, so I can't > reliably search for the thing via date, either. > > Whenever MSSE detects a new round of infections (15, 78, all kinds of counts) > the infections are in everything from drivers to executables in all kinds of > directories. > > At the moment I'm running the computer in safe mode with no Internet and MSSE > is not detecting any more Ramnit. I've scanned it 3 times. But as soon as I > go back into regular mode and get an Internet connection back up it'll start > infecting again. > > Oh, and I've reset the Winsock stack twice just in case there's a little > wedgie in there. Still comes back. > > Any help would be most appreciated. You can reach me directly by email. The > address is valid. > > Thanks. > You may want to try turning off "system restore" in "system properties". Then reboot. You may also want to make "system volume information" accessible to your malware scanner. Then do a scan of that folder. The default setting is "read only" and "hidden" so if it can be scanned the malware won't be removed. The malware can reboot that last restore point over and over and reinfecting your system over and over. A Linux based scanner can be a way around the permissions but it's probably better to do the scans within Windows. John |