Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:W32/Ramnit.C
Date discovered:18/11/2010
Type:File infector
In the wild:Yes
Reported Infections:Medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:No
IVDF version:7.10.14.35 - Thursday, November 18, 2010

 General Method of propagation:
   • Infects files


Aliases:
   •  Symantec: Win32.Ramnit.B!inf
   •  Mcafee: W32/Ramnit.a
   •  Kaspersky: Type_Win32
   •  F-Secure: Type_Win32
   •  Sophos: W32/Ramnit-A
   •  Bitdefender: Win32.Ramnit.H
   •  Eset: Win32/Ramnit.H virus
   •  DrWeb: Win32.Siggen.7


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7


Side effects:
   • Infects files

 Files The following files are created:

%current directory%\%executed file%mgr.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too.
%PROGRAM FILES%\Microsoft\WaterMark.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too.

 File infection Infector type:

Appender - The virus main code is added at the end of the infected file.
– The last section of the file is modified to include the virus code.
– A section is added to the infected file.

Infection length:

From: 64.000 Bytes
To: 66.000 Bytes


The following files are infected:

By file type:
   • *.exe

Files in any the following paths and all their subpaths:
   • %drive%

 Registry The following registry key is changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Userinit"="c:\windows\\system32\\userinit.exe,"
   New value:
   • "Userinit"="c:\windows\\system32\\userinit.exe,,C:\Program Files\\microsoft\\watermark.exe"

Description inserted by Alexander Bauer on Monday, November 22, 2010
Description updated by Alexander Bauer on Monday, November 29, 2010

Back . . . .