Ramnit on 1 SDHC memory card and 2 USB flash drives

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Olaus, Feb 18, 2012.

  1. Olaus

    Olaus Private E-2

    Hi,
    I'm currently traveling abroad, meaning I take a lot of pictures. In order to send some of these home, I have at several times connected my camera to computers on internet cafes WITHOUT locking the SDHC memory card so it can only be read from (this function I have learnt after this ordeal started).

    Last week I noticed my camera wouldn't read the card. It said "Can't create folder". I connected it to a internet cafe PC and folder names were messed up, but some pictures could be retrieved with Recuva (photo recovery software), so I saved them to 2 different USB flash drives (most pics looked ok, only a few were irreparably damaged). I figured something was fishy when folder names changed on one of the USB sticks. Scans with SUPERAntiSpyware and Malwarebytes revealed Ramnit infection. :cry

    IE my own PC is not infected, but I have questions on how to tackle this problem when I come home:

    1. Is there any way to safely extract pictures and videos and then format the memory sticks?
    2. Is it safe to access the memory card and the USBs in Linux?
    3. Will a low-level format get rid of Ramnit for sure?

    Any suggestions and ideas are welcome.

    Thank you for your time.

    Olaus
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Ramnit is quite dangerous and not always detectable in every file that could be carrying the infection. It most frequently spreads into any .exe and .html files on every disk drive ( including removeable drives ) in a PC.

    The best you could do would be to scan all drives using your antivirus scanner and also another online scan like ESET ( see:
    Using ESET's Online Scanner) to see if anything is found. If so delete them.

    Only save your pictures! DO NOT save any EXE, HTML, DLL, or MSI ( installer programs ). If is okay to save them to your flash drive, but make sure the flash drive has no EXE, HTML, DLL, or MSI file types on it before plugging it in.

    Yes a low-level format will get rid of Ramnit, but you copy back on just one infected file and use it, you could respread the infection all over again.
     
  3. Olaus

    Olaus Private E-2

    Many thanks for your reply, chaslang!

    I'm a bit worried about Ramnit doing an autorun as soon as I plug my USB or SDHC in to my PC. Would it be enough to use USB Panda to block this? Or should I extract the pictures in Ubuntu mode?


    Olaus
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  5. Olaus

    Olaus Private E-2

    Thanks a lot. I'll be home in about 3 weeks, I'll give it a try then and update this thread with the results.
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Good luck.
     
  7. Olaus

    Olaus Private E-2

    Hello,
    I just came back home and so far things are looking good. I use ESET NOD32 as antivirus program and Zonealarm's free firewall on a 64-bit Win 7 system (I've had this combination for a couple of years and it's been working very well for me). Before starting to fix my USBs and memory cards, I installed Panda USB Vaccine:
    http://www.pandasecurity.com/homeusers/downloads/usbvaccine/

    and let it "vaccinate" my computer (ie autoruns from flash drives are denied).

    I also installed Malwarebytes Anti-Malware:
    http://www.malwarebytes.org/products/malwarebytes_free

    Then I plugged in the first USB stick and NOD32 immediately reacted and removed the infected files. I ran an MBAM scan on my system + the USB which found nothing bad. Then I copied the pictures and movies to my hard drive, and made a low-level format of the USB using Hard Disk Low Level Format Tool:
    http://www.softpedia.com/get/System/Hard-Disk-Utils/HDD-Low-Level-Format-Tool.shtml

    I repeated these steps for both USB's and all my camera's memory cards (only one of them was infected, but I wanted to be sure). Finished by letting USB Panda "vaccinate" the flash drives so they won't start autorunning when plugged into other CPU's (don't know how well this works, but can't see any harm in it).

    For file recovery I use Piriform's excellent software Recuva:
    http://www.piriform.com/recuva
    Which helped me recover most pictures.

    Hope this thread can be of any help to others. Remember kids, always use protection when connecting to unfamiliar computers! :major
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Glad to hear you have things worked out. :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds