Also detected as:
The following can indicate that you have this threat on your PC:
In subkey: HKLM\SOFTWARE\Microsoft\Security Center
Sets value: "AntiVirusOverride"
With data: "1
Windows Defender Antivirus detects and removes this threat.
This malware family steals your sensitive information, such as your bank user names and passwords. It can also give a malicious hacker access and control of your PC, and stop your security software from running.
These threats can be installed on your PC through an infected removable drive, such as a USB flash drive.
Use the following free Microsoft software to detect and remove this threat:
You should also run a full scan. A full scan might find hidden malware.
To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
If you’re using Windows XP, see our Windows XP end of support page.
NOTE: The Microsoft Windows Malicious Software Removal Tool automatically restores the default Windows security setting as it remediates this malware issue. However, if you encounter any issues, you can also manually enable the Windows functions that the malware disabled to tamper with your system and lower your Windows security.
This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:
You should change your passwords after you've removed this threat:
To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.
Enable the Microsoft Active Protection Service (MAPS) on your system to protect your enterprise software security infrastructure in the cloud.
Check if MAPS is enabled in your Microsoft security product:
Select Settings and then select MAPS.
Select Advanced membership, then click Save changes. With the MAPS option enabled, your Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service.
You can also ask for help from other PC users at the Microsoft virus and malware community.
If you’re using Windows XP, see our Windows XP end of support page.
The threat copies itself using a hard-coded name or, in some cases, with a random file name to a random folder, for example:
Some variants copy themselves to the %TEMP% folder with a random name, for example lvjekdwi.exe, hvhvufsa.exe.
This file might be detected as Worm:Win32/Ramnit.A or by another similar detection name.
It creates the following registry entry to ensure that it runs each time you start your PC:
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Userinit"
With data: "<system folder>\userinit.exe, <malware folder path and file name>", for example "%ProgramFiles%\Microsoft\watermark.exe"
Win32/Ramnit launches a new instance of the system process svchost.exe and injects code into it. If the malware is unable to inject its code into svchost, it searches for your default web browser and injects its code into the browser's process.
The malware hooks the following APIs for this purpose:
The infection and backdoor functionality occurs in the web browser process context; it might do this to avoid detection and make cleaning an infection more difficult.
File infection
Older variants of Win32/Ramnit spread by infecting certain files with virus code. However, we have seen new variants without this file-infection functionality. The reason for the removal of this functionality in new variants might be to hinder detection and removal of the variant.
Older versions of the malware infect:
The infected executables might be detected as Virus:Win32/Ramnit.A or by another similar detection name.
The infected HTML files might be detected as Virus:VBS/Ramnit.A or by another similar detection name. The infected HTML files have an appended VBScript. When the infected HTML file is loaded by a web browser, the VBScript might drop a copy of Win32/Ramnit as %TEMP%\svchost.exe and then run the copy.
The infected document might be detected as Virus:O97M/Ramnit. The infected document contains a macro which will attempt to run when the document is opened. The macro might drop a copy of Win32/Ramnit as %TEMP%\wdexplore.exe and then run the copy.
Removable and network drives
Win32/Ramnit makes copies of the installer to removable drives with a random file name. The file might also be placed in a randomly-named directory in the \RECYCLER\folder in the root of the drive, as in the following example:
<drive:> \RECYCLER\s-5-1-04-5443402830-2472267086-003818317-4634\rdkidfba.exe
It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files tell the operating system to launch the malware file automatically when the network drive is accessed from another PC that supports the Autorun feature.
This is particularly common malware behavior, generally used to spread malware from PC to PC.
It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs.
Connects to a remote server
Win32/Ramnit connects and sends information to a remote server, which it connects through TCP port 443.
The malware generates the name of the command and control server using domain generation algorithm (DGA), for example:
The malware downloads other components from the server. These components change often, and can perform the following actions:
End or close certain antimalware programs
Win32/Ramnit can receive additional instructions from the server, including instructions to:
Win32/Ramnit sends information about your PC to the server, including the following:
The malware also receives a list of antimalware products from the remote server. It then closes or stops any processes related to those antimalware products.
Steals sensitive data
Win32/Ramnit might steal stored FTP passwords and user names from a number of common FTP applications, including:
Win32/Ramnit might also steal bank credentials by hooking the following APIs:
The malware collects stored browser cookies from the following web browsers:
The captured credentials are then sent to a remote server for collection by a hacker.
Disables security and antimalware software and services
The malware disables certain Windows functions that are designed to keep your PC safer and more secure. It disables these functions by making a number of registry modifications.
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"
In subkey: HKLM\SOFTWARE\Microsoft\Security Center
Sets value: "AntiVirusOverride"
With data: "1"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\WinDefend
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Sets value: "EnableFirewall"
With data: "0"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc
Sets value: "Start"
With data: "4"
The malware also tampers with your default Windows security settings by enabling the following functions:
Analysis by Scott Molenkamp, Karthik Selvaraj, and Tim Liu
I want to...
Note: Your feedback is important to us, however we do not respond to individual concerns through this channel. If you require support, please visit the Microsoft Answer Desk.
If you suspect that a file has been incorrectly identified as malware, you can submit the file for analysis.
Follow: