From: jcdill on
David H. Lipman wrote:
> From: "jcdill" <jcdill.lists(a)gmail.com>
>
> | David Kaye wrote:
>>> Sorry about the crosspost to ba.internet, but I know there are malware experts
>>> out there.
>
>>> Does anybody have EXPERIENCE with Win32/RAMNIT.A ?
>
> | No experience, but if I were in your shoes I'd start here:
>
> | <http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_26343474.html>
>
> The problem is that may not be the same based upon the !HTML suffix which infers HTML code
> and possibly exploitation rather than the actual infection.

My point was to use the experts-exchange site to get help if the answers
already posted don't solve the problem. They are amazingly helpful with
providing assistance (for free) to people who follow the recommended
steps (such as running hijackthis and posting the logs etc.). I've
found the answer to solving several pesky virus/worm problems simply by
searching the experts-exchange site without having to post my own query,
but if I couldn't find the answer in the archives then I wouldn't
hesitate to post.

jc
From: John Slade on
On 7/29/2010 3:24 AM, David H. Lipman wrote:
> From: "John Slade"<hhitman86(a)pacbell.net>
>
> | On 7/27/2010 11:17 PM, RJK wrote:
>
>
>>> "David H. Lipman"<DLipman~nospam~@Verizon.Net
>>> <mailto:DLipman~nospam~@Verizon.Net>> wrote in message
>>> news:i2o47d0214h(a)news2.newsguy.com...
>>> From: "russg"<russgilb(a)sbcglobal.net<mailto:russgilb(a)sbcglobal.net>>
>
>>> | snip stuff about experienced posters only.
>
>>> | I come here to learn, and there are some experts here. The OP
>>> | considers himself an expert and only wants
>>> | talk to experts. I would say his final approach of wiping and re-
>>> | installing the OS (which he didn't mention),
>>> | but first trying to save .docs, mp3 and other important files, is the
>>> | only solution. I learned that RAMNIT.A
>>> | is a PE infector, infects other known files, like IE. Here's some
>>> | info at sophos.com:
>
>>> |
>>>
>>> http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_from=
>>> | rss
>
>>> | The OP knows the name of the malware, so he must have submitted a
>>> | sample somewhere.
>
>>> From Dave's first post...
>>> "Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm having a
>>> devil of a
>>> time removing it. The only tool the detects it consistently is MS
>>> Security
>>> Essentials, and MSSE keeps counting it and "disinfecting" it."
>
>>> He didn't submit a sample somewhere, MSE scanned the system,
>>> detected it
>>> (Win32/RAMNIT.A ), but MSE failed to full remove and clean the
>>> system of it. Dave also
>>> indicated he tried Avast to no avail.
>
>>> --
>>> Dave
>>> http://www.claymania.com/removal-trojan-adware.html
>>> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>>> Having cast my eye through this post, I think I would have given
>>> PrevX a go :-)
>>> ...and having read
>>> http://www.symantec.com/security_response/writeup.jsp?docid=2008-011517-3725-99
>
>>> ...I think (seeing as Sophos is armed against it), I'd try Sophos
>>> CLS from Bart PE cd :-)
>
>>> regards, Richard
>
>
>
> | It seems the information I found on this worm is that it
> | probably hides in the "system volume information" folder that is
> | "read only" and "hidden" by default. The worm just keeps getting
> | reinstalled and can't be cleaned unless the permissions are
> | changed for that folder. The information on this site links to
> | instructions for cleaning RAMNIT.A.
>
> | http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=81059
>
> | This links to information on how to disable "system
> | restore" in order to remove the infection. It may be possible to
> | use some offline scanner like BitDefender to remove the worm but
> | it's better done in Windows.
>
> Sorry, you are mis-interpreting the information.
>
> Malware doesn't "hide" in the "system volume information" folder. That is where the
> System Resore cache resides. What they are talking about is removing restore points such
> that you won't re-infect the PC if you restore the PC from a restore point that had made
> in an infected condition.

Some malware specifically uses the "system volume
information" folder to reinfect the computer. It will infect
multiple restore points even those that were there before the
particular worm was introduced. I've had some experience with these.

>
> Howver, I have learned that ist is NOT a good idea to dump the System Restore cache while
> cleaning a PC. It is better to have an infected, working, PC than to have a a PC that may
> be unstable and you can't restore the PC to a stable but infected condition. Once the PC
> is thouroughly cleaned and verified and is stable then you you can dump the System Restore
> cache.

This is one reason us PROFESSIONALS do a complete drive
backup before we remove the infection in this way. That way if
something goes wrong, you can always go back to the beginning.

It's possible to allow writing to the folder in question.
I have cleaned a few computers in this way and I usually find
that the restore points are not worth saving. I've had
absolutely no systems lost due to cleaning out the system
restore points. Never lost one and never needed to use the
backup on these types of infections. I find it better to have a
professional do the malware removal than someone who risks
loosing everything because they're afraid to remove the restore
caches.

John


From: David H. Lipman on
From: "John Slade" <hhitman86(a)pacbell.net>

| On 7/29/2010 3:24 AM, David H. Lipman wrote:
>> From: "John Slade"<hhitman86(a)pacbell.net>

>> | On 7/27/2010 11:17 PM, RJK wrote:


>>>> "David H. Lipman"<DLipman~nospam~@Verizon.Net
>>>> <mailto:DLipman~nospam~@Verizon.Net>> wrote in message
>>>> news:i2o47d0214h(a)news2.newsguy.com...
>>>> From: "russg"<russgilb(a)sbcglobal.net<mailto:russgilb(a)sbcglobal.net>>

>>>> | snip stuff about experienced posters only.

>>>> | I come here to learn, and there are some experts here. The OP
>>>> | considers himself an expert and only wants
>>>> | talk to experts. I would say his final approach of wiping and re-
>>>> | installing the OS (which he didn't mention),
>>>> | but first trying to save .docs, mp3 and other important files, is the
>>>> | only solution. I learned that RAMNIT.A
>>>> | is a PE infector, infects other known files, like IE. Here's some
>>>> | info at sophos.com:

>>>> |

>>>> http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_
>>>> from=
>>>> | rss

>>>> | The OP knows the name of the malware, so he must have submitted a
>>>> | sample somewhere.

>>>> From Dave's first post...
>>>> "Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm having a
>>>> devil of a
>>>> time removing it. The only tool the detects it consistently is MS
>>>> Security
>>>> Essentials, and MSSE keeps counting it and "disinfecting" it."

>>>> He didn't submit a sample somewhere, MSE scanned the system,
>>>> detected it
>>>> (Win32/RAMNIT.A ), but MSE failed to full remove and clean the
>>>> system of it. Dave also
>>>> indicated he tried Avast to no avail.

>>>> --
>>>> Dave
>>>> http://www.claymania.com/removal-trojan-adware.html
>>>> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>>>> Having cast my eye through this post, I think I would have given
>>>> PrevX a go :-)
>>>> ...and having read
>>>> http://www.symantec.com/security_response/writeup.jsp?docid=2008-011517-3725-99

>>>> ...I think (seeing as Sophos is armed against it), I'd try Sophos
>>>> CLS from Bart PE cd :-)

>>>> regards, Richard



>> | It seems the information I found on this worm is that it
>> | probably hides in the "system volume information" folder that is
>> | "read only" and "hidden" by default. The worm just keeps getting
>> | reinstalled and can't be cleaned unless the permissions are
>> | changed for that folder. The information on this site links to
>> | instructions for cleaning RAMNIT.A.

>> | http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=81059

>> | This links to information on how to disable "system
>> | restore" in order to remove the infection. It may be possible to
>> | use some offline scanner like BitDefender to remove the worm but
>> | it's better done in Windows.

>> Sorry, you are mis-interpreting the information.

>> Malware doesn't "hide" in the "system volume information" folder. That is where the
>> System Resore cache resides. What they are talking about is removing restore points
>> such
>> that you won't re-infect the PC if you restore the PC from a restore point that had
>> made
>> in an infected condition.

| Some malware specifically uses the "system volume
| information" folder to reinfect the computer. It will infect
| multiple restore points even those that were there before the
| particular worm was introduced. I've had some experience with these.


>> Howver, I have learned that ist is NOT a good idea to dump the System Restore cache
>> while
>> cleaning a PC. It is better to have an infected, working, PC than to have a a PC that
>> may
>> be unstable and you can't restore the PC to a stable but infected condition. Once the
>> PC
>> is thouroughly cleaned and verified and is stable then you you can dump the System
>> Restore
>> cache.

| This is one reason us PROFESSIONALS do a complete drive
| backup before we remove the infection in this way. That way if
| something goes wrong, you can always go back to the beginning.

| It's possible to allow writing to the folder in question.
| I have cleaned a few computers in this way and I usually find
| that the restore points are not worth saving. I've had
| absolutely no systems lost due to cleaning out the system
| restore points. Never lost one and never needed to use the
| backup on these types of infections. I find it better to have a
| professional do the malware removal than someone who risks
| loosing everything because they're afraid to remove the restore
| caches.

| John


You said...
"Some malware specifically uses the "system volume information" folder to reinfect the
computer."

Since you also stated "...us PROFESSIONALS...".
What is that malware spaecifically. You should know it or it should be in your notes.
I'd like to know what it is you are referring to.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


From: David H. Lipman on
From: "jcdill" <jcdill.lists(a)gmail.com>

| David H. Lipman wrote:
>> From: "jcdill" <jcdill.lists(a)gmail.com>

>> | David Kaye wrote:
>>>> Sorry about the crosspost to ba.internet, but I know there are malware experts
>>>> out there.

>>>> Does anybody have EXPERIENCE with Win32/RAMNIT.A ?

>> | No experience, but if I were in your shoes I'd start here:

>> | <http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_26343474.html>

>> The problem is that may not be the same based upon the !HTML suffix which infers HTML
>> code
>> and possibly exploitation rather than the actual infection.

| My point was to use the experts-exchange site to get help if the answers
| already posted don't solve the problem. They are amazingly helpful with
| providing assistance (for free) to people who follow the recommended
| steps (such as running hijackthis and posting the logs etc.). I've
| found the answer to solving several pesky virus/worm problems simply by
| searching the experts-exchange site without having to post my own query,
| but if I couldn't find the answer in the archives then I wouldn't
| hesitate to post.

Ant defined the !HTML suffix (and !INF) as being modified by the Ramnit.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


From: FromTheRafters on
"John Slade" <hhitman86(a)pacbell.net> wrote in message
news:tE74o.32165$OU6.25112(a)newsfe20.iad...

[...]

> It seems the information I found on this worm is that it
> probably hides in the "system volume information" folder that is "read
> only" and "hidden" by default.

Funny, I was led to believe it used the recycle bin.

> The worm just keeps getting reinstalled and can't
> be cleaned unless the permissions are changed
> for that folder. The information on this site links to instructions
> for cleaning RAMNIT.A.

How is it, that a folder remains inaccesible to a scanner?

> http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=81059
>
> This links to information on how to disable "system restore" in
> order to remove the infection. It may be possible to use some offline
> scanner like BitDefender to remove the worm but it's better done in
> Windows.

It is better to clean the malware off the computer, then purge the
system restore thingy. The malware can't act against you actively, when
it is not running. Use drive imaging software, system restore be-damned.