Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
In the wild:
- Thursday, November 18, 2010
Method of propagation:
• Infects files
• Symantec: Win32.Ramnit.B!inf
• Mcafee: W32/Ramnit.a
• Kaspersky: Type_Win32
• F-Secure: Type_Win32
• Sophos: W32/Ramnit-A
• Bitdefender: Win32.Ramnit.H
• Eset: Win32/Ramnit.H virus
• DrWeb: Win32.Siggen.7
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
• Windows Vista
• Windows 7
• Infects files
The following files are created:
mgr.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too.
\Microsoft\WaterMark.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too.
Appender - The virus main code is added at the end of the infected file.
– The last section of the file is modified to include the virus code.
– A section is added to the infected file.
From: 64.000 Bytes
To: 66.000 Bytes
The following files are infected:
By file type:
Files in any the following paths and all their subpaths:
The following registry key is changed:
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
• "Userinit"="c:\windows\\system32\\userinit.exe,,C:\Program Files\\microsoft\\watermark.exe"
Description inserted by Alexander Bauer on Monday, November 22, 2010
Description updated by Alexander Bauer on Monday, November 29, 2010