Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32.Ramnit


  • This topic is locked This topic is locked
1 reply to this topic

#1 Stefan10

Stefan10

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 13 October 2010 - 05:52 AM

Hi there i have been reading various forums and this one especially regarding the: W32.Ramnit!html, W32.Ramnit!inf, W32.Ramnit.A and W32.Ramnit.C Variants.

By the sounds of things here you guys recommend to format the hard drive and reinstall then transfer data back.

The thing is that's not a fix. Now i just wondered if someone can explain why this infection cannot be stopped.

From how i understand it the Payload drops in a file in C:\Program Files\Microsoft\Desktopplayer.exe and from there it infects all .EXE, .DLL and .HTM(L) Files.

Now i believe it injects a VB script into the HTML files which can infact be removed manually and virus scanners, such as Norton Internet Security apparently remove the code from them HTML files. However .DLL and .EXE files its not so simple as they are generally in use and removing the code can make the files unstable?

Basically what stops you from taking clean files from a PC and running a script to inject these into the infected PC replacing the infected ones?

Basically we have had 5 PC's in the last 10 days with this issue have had to format 3 i have 1 currently here which i am attempting to fix and one was a corporate user who has Symantec Endpoint Protection 11.6 and this software actually Blocked AND removed the Ramnit infection. Home security software seems unable to do this.

But i may be wrong in that you are recommending to format drives if i am I would like help to get this off the system.

BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:43 AM

Posted 13 October 2010 - 03:56 PM

Good evening. smile.gif

There are two reasons why this infection is treated to a nuke and pave. The first is the problem with removing the infection from all files without causing system instability. The second is the backdoor that this nasty attempts to create.
Somebody in a remote location could access a PC as if they were sat in front of it, and so there is no way of knowing how many malicious files may have been dropped on the hard drive, legitimate files patched or replaced, and if security settings have been lowered to make the PC easier to infect in the future.

The difficulty in guaranteeing a clean PC makes a reformat and reinstall the quickest and safest option in the long run, particularly if there is sensitive data on a system.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users