Huge Ramnit Infection + others?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Christian Thomas, Sep 7, 2011.

  1. Christian Thomas

    Christian Thomas Private E-2

    Does anyone know how the Ramnit virus actually works. I need to get around it and on some of my PCs and backups there is data that I cannot lose. It seems, if indeed it is the Ramnit virus, to be far more complicated than what I have read so far one the net. It is extraordinarily fast spreading and seems to infect every program the moment it is loaded.

    The symptoms I have are as follows:

    • It is creating -mgr versions of various exes, such as agent, winword, sdhelp, notepad etc.
    • These end up with filenames like notepadmgr.exe, and they all have a multicoloured dotted icon.
    • On memory sticks it creates these in a hidden recycler directory along with an autorun.inf that directs to them. If you delete these files, the directory and autorun then
    • it bars access to the "disk". So there must be something else that is hidden on there.

    The same holds true for the hard disk. So, for instance, if Avast! does its usual over-zealous cleanup (don't haul me up on that opinion, I would like something as good as Avast! but which also left the system running) then it will lock you out of the HDD on the next boot.

    This is also part of another malicious routine which I will come to in a sec. In memory, it loads up various of the dll type exes. It particularly seems to favour wuauclt.exe and ctfmon .exe. It is impossible to say how many of the processes showing in task manager are infected, but various of the iTunes ones are and so are Acrobat reader files. It almost certainly goes below this into the system because after ending each of these task wuauclt will come popping up a few seconds after it and others have been removed.

    I have removed every entry in relation to these, and every Run and Startup entry, in the Registry, but to no avail. Removing them on msconfig and then doing the same inside the
    registry still doesn't stop them appearing in Taskman at startup. Usually they are accompanied by four or more instances of iexplorer (which I don't use) and on another machine various incarnations of winword and excel (10 or more is not unheard of) each of
    which is, I guess, running some script or other.

    There are also many instances of svchost, I currrently have 7 showing on a machine that isn't even connected to the net). If you end one of these it has a trap that winds you down
    to system shutdown giving about a 50 second warning. This can be circumvented by loading a new program, but you don't always catch it. There is also an editing bug that it carries with it, where the cursor will fly around the page every so often after you type the letter 't' or sometimes 'w'. This may be part of something else as I currently don't have it on this once pristine machine.

    Most insidiously, it tries to tell you that your HDD is faulty and it somehow gets into the bios, or maybe even the eprom, so that a reboot does not clear the problem. Two drives, much too coincidentally, both started making loud clicking noises, returning read errors and eventually saying "boot sector not found" or having the bios state that there is no hard disk. Indeed most software that you try to use to tackle this, including reloading XP, will fail to properly recognise the partition - if indeed it can see it - and most won't even see the disk at all. And this will be after the throughput of the disk has fallen to 1000KB/s from perhaps 40 and with your machine groaning under the weight of whatever scripts and processes it see fit to run. The disk will start clicking violently and you will have every available cue to think that it is failing badly. It is, in fact, perfectly fine.

    After finding a good utility that could actually see the disk (and after shorting out all the pins on the back of the drive with a view to it possibly having a battery backup and some setting left behind - if not actually code) I did a Dept of Defense Nuke of the disk and suddenly its throughput was back up to 45MB/s. XP recognised it and I was away. I think.

    It has possibly got it again from the boot disk that I used to wipe the drive. Although this was an image file, the image was created on an infected PC (this one) though it was checked, file by file, against the website that compiled the utilities. Not their fault at all, though a premade downloadable .iso could prove invaluable here. I found the utilities at ubcd4win.com, and their stuff does work. If anyone has other better resources I would love to know, but this bootable windows CD should, I think, be in everybody's toolkit. The other possibility is that something was left behind in an unpartitioned area on the disk. I have a suspicion that the disk has shrunk by a couple of gigs, but that may be the manufacturer overspeccing it, or just the usual difference of what a kilobyte really is. I just can't remember, but it is a possibility.

    I need to know how to tackle this thing head on. I have a terabyte drive that may have it, two otherlaptops and three memory sticks that probably have it, so it's making a home here and will threaten to come rolling back in at any time. This encompasses all my work and all my personal stuff so it is quite important. So far I have yet to find a utility that definitely can disinfect - Dr Watson/MS Security - doesn't do it and I'm not convinced that

    Avast! manages to actually do any disinfection when it does find it. Twenty minutes later there are usually another dozen instances, then 200 after that. I'm quite happy to do it by hand so if you can help, or if you are the toerag that wrote it, please let me know how I can kill it. I can be reached for this at ramnit dot waveform at gmail dot com if anyone wants to email me. Otherwise I'll just wait on the forum.

    Many thanks in advance

    Christian Thomas
     
    Last edited by a moderator: Sep 7, 2011
    Christian Thomas, Sep 7, 2011
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Ramnit infections have really become quit nasty and dangerous. We could attempt to remove it, and we have had some success in the past, but recently it has become even more trouble to remove. It is really safer to just bite the bullet and do a clean reinstall.

    The problem is that the damage caused by this infection really makes a PC unreliable/untrustworthy. PE file infectors like Ramnit, Virut,.... etc can infect all executable files (DLL, EXE, SCR....and many more and also HTML). These infections can open back doors that truly may compromise your computer and your security. These backdoors could allow a remote attacker to access and instruct the infected computer to download and execute more malicious files.

    In many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus or by other scanning tools. Also when disinfection is attempted, the files often become corrupted and the system may become unstable or irrepairable. The longer Ramnit remains on a computer, the more files it may infect and/or corrupt so the degree of infection can vary.

    Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies the Ramnit worm using a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are a major source of system infection.

    So all the above being said, and please do take serious note of the warnings, do you really wish to attempt cleaning even though the stability and security of your be cannot be guaranteed? And also note that we could spend a lot of time trying to fix it and still fail due to the number of files that have been infected. What would you like to do?

    If you want to try fixing it, unless it is just too late, go to this site:
    eSet Online Scan.

    And start running back to back scans. Do it three time, booting between each scan and attach the logs to your next post. That is, if you can do it.
     
    TimW, Sep 7, 2011
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds