Win32.Ramnit.N_71edf02ea5

by malwarelabrobot on May 15th, 2015 in Malware Descriptions.

not-a-virus:AdWare.Win32.MultiPlug.oawt (Kaspersky), Win32.Ramnit.N (B) (Emsisoft), Win32.Ramnit.N (AdAware), Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Worm, Virus, Adware, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 71edf02ea5a8e3b1ce54f78a09d13e28
SHA1: 121c437054be6cd53fa871338327d9b59bc60330
SHA256: f53f0b3e89855ebfae9221d8f15063d11f40043222b38dd973785ffdee2b29bc
SSDeep: 24576:J wTk15lz5bGVImgEfeGBdDmCSCSC iZqUNp2hZhj3op W:J sk1BGVIbajBt9pSC AChZhUL
Size: 1917946 bytes
File type: DLL
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-04-19 02:05:34
Analyzed on: WindowsXP SP3 32-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Worm creates the following process(es):

regsvr32.exe:500
regsvr32mgr.exe:1388

The Worm injects its code into the following process(es):

Explorer.EXE:1684

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process regsvr32.exe:500 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp-log.txt (11204 bytes)
%System%\regsvr32mgr.exe (5442 bytes)

The process regsvr32mgr.exe:1388 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%WinDir%\system.ini (72 bytes)

Registry activity

The process regsvr32.exe:500 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF E6 43 81 4E 18 A5 90 A5 77 50 DC 1C C0 39 E3"

The process regsvr32mgr.exe:1388 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas\695404737]
"35845605" = "343"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas\695404737]
"50183847" = "91B7B29E83DF27BD845620F31F81699AEA234A0AF364777AFD8013C50880BEED261AF09F76D756B22D8490BFC624276D3076D4A74CC35D08D3701A2CD26E8FE302DFAECE118977A4B1E380EEB284A8F1F5762C79B4FF22C5F28C90BFC5888DEA3DA748B07164541111D2655DA3E285F8167DE1B62CBC7E30883AFB31B5B55DA8"
"43014726" = "0A00687474703A2F2F616B7A696C2E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F7777772E63723473682E676F2E726F2F6C6F676F2E67696600687474703A2F2F6172746761732E636F6D2E62722F627574746F6E2E67696600687474703A2F2F6561726E6D6F6E657962642E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F736F68616D776F726C642E696E2F696D616765732F627574746F6E2E67696600687474703A2F2F73696D6963616E692E636F6D2F6C6F676F2E67696600687474703A2F2F7777772E73746F72667265652E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F6E65776E69726D616E2E696E2F627574746F6E2E67696600687474703A2F2F7777772E6D736963742E696E2F696D616765732F6C6F676F2E67696600687474703A2F2F67616E757A6173762E636F6D2F6C6F676F2E676966"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "198"

"21507363" = "0"
"28676484" = "35"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A 68 46 21 CC 4A BC E5 FC 43 3C 3B 77 AD 63 CD"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\System32]
"regsvr32mgr.exe" = "%System%\regsvr32mgr.exe:*:Enabled:ipsec"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Task Manager is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"

Dropped PE files

MD5 File path
0ba74ebf12f69c3e97e999ccbfff6920 c:\WINDOWS\system32\regsvr32mgr.exe

HOSTS file anomalies

The Worm modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 www.Brenz.pl


Rootkit activity

The Worm installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 336257 336384 4.41408 4353327e7c370382de563f088c87535e
.rdata 344064 89200 89600 3.45699 b552b88f3a193d16770366517f446976
.data 434176 323732 311808 0.734163 c9dad4475d355df49a1ae8fcd0ce82d6
.rsrc 761856 480 512 3.27493 c31f0039ae1631f5712fd39f46c1dc92
.reloc 765952 98700 98816 1.64638 e8d3f58e4e0cbc1cdaf177bfb4f7045a
.text 868352 1081344 1079296 5.48309 9fd3f4c6cfbecd4a8c1da0071521f7e2

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Worm connects to the servers at the folowing location(s):

Explorer.EXE_1684_rwx_00EE0000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL

Explorer.EXE_1684_rwx_00EF0000_00001000:

|explorer.exeM_1684_


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    regsvr32.exe:500
    regsvr32mgr.exe:1388

  3. Delete the original Worm file.
  4. Delete or disinfect the following files created/modified by the Worm:

    %Documents and Settings%\%current user%\Local Settings\Temp-log.txt (11204 bytes)
    %System%\regsvr32mgr.exe (5442 bytes)
    %WinDir%\system.ini (72 bytes)

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now