Win32/RAMNIT.A Anyone?
in [Anti-Virus]
|
From: FromTheRafters on 27 Jul 2010 20:02 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:i2nfok0tgi(a)news4.newsguy.com... > From: "jcdill" <jcdill.lists(a)gmail.com> > > | David Kaye wrote: >>> Sorry about the crosspost to ba.internet, but I know there are >>> malware experts >>> out there. > >>> Does anybody have EXPERIENCE with Win32/RAMNIT.A ? > > | No experience, but if I were in your shoes I'd start here: > > | > <http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_26343474.html> > > The problem is that may not be the same based upon the !HTML suffix > which infers HTML code > and possibly exploitation rather than the actual infection. It's a shame he couldn't provide you with a sample. His description of symptoms doesn't exactly match up with what this malware is/does. This could be new malware worm dropping ramnit.a as it finds new systems.
From: Steve Pope on 27 Jul 2010 20:39 ~BD~ <BoaterDave~no.spam~@hotmail.co.uk> wrote: >Steve Pope wrote: >> It may be that MSE calls it "Ramnit.A", but other products have >> different names for it which is why nobody has seen it. >You are right, Steve! > >http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_from=rss That could help the OP. Looks like the virus is a month or so old. It may not be the same morph that Sophos can clean, but it's a start. Steve
From: Ant on 27 Jul 2010 20:44 "David H. Lipman" wrote: > I have never heard of the "Ramnit" trojan. But, there are 100's of > thousands out there and it isn't a major family/player. Symantec wrote something about it in Jan this year. Apparently, it's a worm that spreads through removable drives and infects executables (so it's also a virus). Copies itself to the recycle bin and creates autorun.inf files on all drives. http://www.symantec.com/security_response/writeup.jsp?docid=2010-011922-2056-99 The Ramnit!html and Ramnit!inf designations were for html and inf files infected by Ramnit. What D. Kaye has is possibly a new variant. > I was actually hoping you may have had a sample you could have > uploaded to http://www.uploadmalware.com/ Yes, if a sample was available I could probably discover exactly what it did (given a little time). Anyway, since so many infected files were reported in an earlier post it's just as well he's doing a wipe and reinstall.
From: David H. Lipman on 27 Jul 2010 21:07 From: "Ant" <not(a)home.today> | "David H. Lipman" wrote: >> I have never heard of the "Ramnit" trojan. But, there are 100's of >> thousands out there and it isn't a major family/player. | Symantec wrote something about it in Jan this year. Apparently, it's a | worm that spreads through removable drives and infects executables (so | it's also a virus). Copies itself to the recycle bin and creates | autorun.inf files on all drives. | http://www.symantec.com/security_response/writeup.jsp?docid=2010-011922-2056-99 | The Ramnit!html and Ramnit!inf designations were for html and inf | files infected by Ramnit. | What D. Kaye has is possibly a new variant. >> I was actually hoping you may have had a sample you could have >> uploaded to http://www.uploadmalware.com/ | Yes, if a sample was available I could probably discover exactly what | it did (given a little time). Anyway, since so many infected files | were reported in an earlier post it's just as well he's doing a wipe | and reinstall. Roger that - and thanx Ant. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: David Kaye on 27 Jul 2010 21:08
"FromTheRafters" <erratic(a)nomail.afraid.org> wrote: >It's a shame he couldn't provide you with a sample. His description of >symptoms doesn't exactly match up with what this malware is/does. This >could be new malware worm dropping ramnit.a as it finds new systems. What kind of sample? A sample of the malware? I'm loathe to provide that; I don't want to be responsible for infecting any computers. I've already given some filenames and directories. But regardless of what names I provide, there is still something being launched that I'm unaware of that is rebuilding the files I see. As previously stated, I've removed the HD, scanned it for rootkits and malware and reinstalled it and the stuff comes back. Well, folks, thanks anyway. I'm just going to reinstall Windows, something I seldom have to do. It's got me beat and I can't spend any more time on this issue. I'm backed up in work again. |