ThreatExpert Report: W32.Ramnit.B!inf, W32/NGVCK, Virus:Win32/Ramnit.I, Win32/Ramnit

Submission Summary:

Submission details:

Submission received: 19 November 2010, 07:30:58
Processing time: 11 min 19 sec
Submitted sample:

File MD5: 0xBA2D1C78C4B3B3FC35770749E9AD5F86
File SHA-1: 0x888BA69F247886D09274BF4833E17B5E302A607D
Filesize: 111,104 bytes

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Downloads/requests other files from Internet.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%ProgramFiles%\Microsoft\WaterMark.exe	225,131 bytes	MD5: 0x1630012AFBA2A5A059DB7314C8C8EB8D SHA-1: 0xF5E815C3788A48EE1B9EAC206B01D60C0B335030	W32.Ramnit.B!inf [Symantec] W32/NGVCK [McAfee] Virus:Win32/Ramnit.I [Microsoft] Win32/Ramnit [AhnLab]
2	%System%\dmlconf.dat	16 bytes	MD5: 0x7501E23DD144D8D8E67D3D0C36860567 SHA-1: 0x0E3364EA16D82BAE3135D01827979809689701F1	(not available)
3	[file and pathname of the sample #1]	111,104 bytes	MD5: 0xBA2D1C78C4B3B3FC35770749E9AD5F86 SHA-1: 0x888BA69F247886D09274BF4833E17B5E302A607D	(not available)

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following files were modified:

c:\contacts.html
c:\Inetpub\wwwroot\index.html
%ProgramFiles%\Common Files\designer\MSADDNDR.DLL
%ProgramFiles%\Common Files\designer\MSHTMPGD.DLL
%ProgramFiles%\Common Files\designer\MSHTMPGR.DLL
[pathname with a string SHARE]\Blank.htm
[pathname with a string SHARE]\Citrus Punch.htm
[pathname with a string SHARE]\Clear Day.htm
[pathname with a string SHARE]\Fiesta.htm
[pathname with a string SHARE]\Glacier.htm
[pathname with a string SHARE]\Ivy.htm
[pathname with a string SHARE]\Leaves.htm
[pathname with a string SHARE]\Maize.htm
[pathname with a string SHARE]\Nature.htm
[pathname with a string SHARE]\Network Blitz.htm
[pathname with a string SHARE]\Pie Charts.htm
[pathname with a string SHARE]\Sunflower.htm
[pathname with a string SHARE]\Sweets.htm
[pathname with a string SHARE]\Technical.htm
%ProgramFiles%\Common Files\System\ado\MDACReadme.htm
%ProgramFiles%\Common Files\System\Ole DB\MSDAIPP.DLL
%ProgramFiles%\MSN\MSNCoreFiles\OOBE\obelog.dll
%ProgramFiles%\MSN\MSNCoreFiles\OOBE\obemetal.dll
%ProgramFiles%\MSN\MSNCoreFiles\OOBE\obepopc.dll
%ProgramFiles%\MSN\MSNIA\custdial.dll
%ProgramFiles%\MSN\MSNIA\msniasvc.exe
%ProgramFiles%\MSN\MSNIA\prestp.exe
%ProgramFiles%\MSN\MsnInstaller\iasvcstb.dll
%ProgramFiles%\MSN\MsnInstaller\msdbxi.dll
%ProgramFiles%\MSN\MsnInstaller\msninst.dll
%ProgramFiles%\MSN\MsnInstaller\msninst.exe
%ProgramFiles%\MSN\MsnInstaller\msnsign.dll
%ProgramFiles%\NetMeeting\netmeet.htm

The following directory was created:

%ProgramFiles%\Microsoft

Memory Modifications

There were new memory pages created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
services.exe	%System%\services.exe	36,864 bytes
lsass.exe	%System%\lsass.exe	36,864 bytes
svchost.exe	%System%\svchost.exe	36,864 bytes
svchost.exe	%System%\svchost.exe	36,864 bytes
svchost.exe	%System%\svchost.exe	53,248 bytes
svchost.exe	%System%\svchost.exe	36,864 bytes

Registry Modifications

The following Registry Value was modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

Userinit =

Other details

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
74.125.227.19	80
91.220.62.30	443

The data identified by the following URL was then requested from the remote web server:

http://www.google.com/pack/download/Google_Updater?hl=ru&srchcb=on&forcesrch=on&hpdisp=on&hpcb=on&stub=on&ciNum=0&file=Google_Updater.exe

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 443:

00000000 | 00FF 0701 0000 F001 0000 0000 012E 0500 | ................
00000010 | 0001 0000 0000 0100 0000 0001 0000 0000 | ................
00000020 | 0121 0000 0000 A700 0000 10C2 0152 22F5 | .!...........R".
00000030 | FD89 CEE9 8068 D8CA AF28 E4D0 355A 31BF | .....h...(..5Z1.
00000040 | B125 AD13 D3D9 C6D9 4B7D 82CC C186 5FB4 | .%......K}...._.
00000050 | 5A6C E269 1886 22A7 C7C3 B84A AC3D 6B7D | Zl.i.."....J.=k}
00000060 | 0CE8 B069 81B0 FD7E 7F8A 1412 00E1 66D7 | ...i...~......f.
00000070 | 3DE9 3E3A D154 9971 56DD 759E 4158 A120 | =.>:.T.qV.u.AX.
00000080 | B99C 6B46 5FA2 52E6 03AA 7834 DC65 CA93 | ..kF_.R...x4.e..
00000090 | 56AF C6E2 5447 F157 D5E7 0AB4 E250 9003 | V...TG.W.....P..
000000A0 | C5A6 87A7 B82C D9E6 F02B D809 6443 88AB | .....,...+..dC..
000000B0 | 0DBC 0D9B BE99 C5DD 1EB5 F1D0 73A8 7BDC | ............s.{.
000000C0 | 7F04 2FD4 2061 1D2B DCD4 FC59 E1F6 C581 | ../. a.+...Y....
000000D0 | C700 2000 0000 B5FA 3662 10CC CDED FC8B | .. .....6b......
000000E0 | B809 C3F2 9D1C D0B3 5662 00E3 F537 F144 | ........Vb...7.D
000000F0 | 879D A6DD 4D22 0003 0000 00CD 8E4D 0105 | ....M".......M..
00000100 | 0000 0001 0000 0000 010D 0000 0000 FF0E | ................
00000110 | 0000 0011 0100 0000 0000 0300 0000 CD8E | ................
00000120 | 4D00 FF44 0000 00E2 0019 0000 00CF 8630 | M..D...........0
00000130 | 1313 C5BC BBF7 A8B4 58C5 F297 69D2 E004 | ........X...i...
00000140 | 685A 9BF7 63F5 0020 0000 00E9 A364 331F | hZ..c.. .....d3.
00000150 | C0C4 B1FD 8DE6 5CC1 F39A 1180 E003 6306 | ......\.......c.
00000160 | EFF4 37F6 4080 9BA2 8B4B 2000 FF07 0100 | ..7.@....K .....
00000170 | 00F0 0100 0000 0001 2E05 0000 0100 0000 | ................
00000180 | 0001 0000 0000 0100 0000 0001 4100 0000 | ............A...
00000190 | 00A7 0000 0010 C201 5222 F5FD 89CE E980 | ........R"......
000001A0 | 68D8 CAAF 28E4 D035 5A31 BFB1 25AD 13D3 | h...(..5Z1..%...
000001B0 | D9C6 D94B 7D82 CCC1 865F B45A 6CE2 6918 | ...K}...._.Zl.i.
000001C0 | 8622 A7C7 C3B8 4AAC 3D6B 7D0C E8B0 6981 | ."....J.=k}...i.
000001D0 | B0FD 7E7F 8A14 1200 E166 D73D E93E 3AD1 | ..~......f.=.>:.
000001E0 | 5499 7156 DD75 9E41 58A1 20B9 9C6B 465F | T.qV.u.AX. ..kF_
000001F0 | A252 E603 AA78 34DC 65CA 9356 AFC6 E254 | .R...x4.e..V...T
00000200 | 47F1 57D5 E70A B4E2 5090 03C5 A687 A7B8 | G.W.....P.......
00000210 | 2CD9 E6F0 2BD8 0964 4388 AB0D BC0D 9BBE | ,...+..dC.......
00000220 | 99C5 DD1E B5F1 D073 A87B DC7F 042F D420 | .......s.{.../.
00000230 | 611D 2BDC D4FC 59E1 F6C5 81C7 0020 0000 | a.+...Y...... ..
00000240 | 00B5 FA36 6210 CCCD EDFC 8BB8 09C3 F29D | ...6b...........
00000250 | 1CD0 B356 6200 E3F5 37F1 4487 9DA6 DD4D | ...Vb...7.D....M
00000260 | 2200 0300 0000 CD8E 4D01 0500 0000 0100 | ".......M.......
00000270 | 0000 0001 0D00 0000 00FF 0E00 0000 1101 | ................
00000280 | 0000 0000 0003 0000 00CD 8E4D 00FF 4400 | ...........M..D.
00000290 | 0000 00FF 4400 0000 E200 1900 0000 CF86 | ....D...........
000002A0 | 3013 13C5 BCBB F7A8 B458 C5F2 9769 D2E0 | 0........X...i..
000002B0 | 0468 5A9B F763 F500 2000 0000 E9A3 6433 | .hZ..c.. .....d3
000002C0 | 1FC0 C4B1 FD8D E65C C1F3 9A11 80E0 0363 | .......\.......c
000002D0 | 06EF F437 F640 809B A28B 4B20 E200 1900 | ...7.@....K ....
000002E0 | 0000 CF86 3013 13C5 BCBB F7A8 B458 C5F2 | ....0........X..
000002F0 | 9769 D2E0 0468 5A9B F763 F500 2000 0000 | .i...hZ..c.. ...
00000300 | E9A3 6433 1FC0 C4B1 FD8D E65C C1F3 9A11 | ..d3.......\....
00000310 | 80E0 0363 06EF F437 F640 809B A28B 4B20 | ...c...7.@....K
00000320 | 00FF 0701 0000 F001 0000 0000 012E 0500 | ................
00000330 | 0001 0000 0000 0100 0000 0001 0000 0000 | ................
00000340 | 0102 0000 0000 A700 0000 10C2 0152 22F5 | .............R".
00000350 | FD89 CEE9 8068 D8CA AF28 E4D0 355A 31BF | .....h...(..5Z1.
00000360 | B125 AD13 D3D9 C6D9 4B7D 82CC C186 5FB4 | .%......K}...._.
00000370 | 5A6C E269 1886 22A7 C7C3 B84A AC3D 6B7D | Zl.i.."....J.=k}
00000380 | 0CE8 B069 81B0 FD7E 7F8A 1412 00E1 66D7 | ...i...~......f.
00000390 | 3DE9 3E3A D154 9971 56DD 759E 4158 A120 | =.>:.T.qV.u.AX.
000003A0 | B99C 6B46 5FA2 52E6 03AA 7834 DC65 CA93 | ..kF_.R...x4.e..
000003B0 | 56AF C6E2 5447 F157 D5E7 0AB4 E250 9003 | V...TG.W.....P..
000003C0 | C5A6 87A7 B82C D9E6 F02B D809 6443 88AB | .....,...+..dC..
000003D0 | 0DBC 0D9B BE99 C5DD 1EB5 F1D0 73A8 7BDC | ............s.{.
000003E0 | 7F04 2FD4 2061 1D2B DCD4 FC59 E1F6 C581 | ../. a.+...Y....
000003F0 | C700 2000 0000 B5FA 3662 10CC CDED FC8B | .. .....6b......
00000400 | B809 C3F2 9D1C D0B3 5662 00E3 F537 F144 | ........Vb...7.D
00000410 | 879D A6DD 4D22 0003 0000 00CD 8E4D 0105 | ....M".......M..
00000420 | 0000 0001 0000 0000 010D 0000 0000 FF0E | ................
00000430 | 0000 0011 0100 0000 0000 0300 0000 CD8E | ................
00000440 | 4D00 FF44 0000 00E2 0019 0000 00CF 8630 | M..D...........0
00000450 | 1313 C5BC BBF7 A8B4 58C5 F297 69D2 E004 | ........X...i...
00000460 | 685A 9BF7 63F5 0020 0000 00E9 A364 331F | hZ..c.. .....d3.
00000470 | C0C4 B1FD 8DE6 5CC1 F39A 1180 E003 6306 | ......\.......c.
00000480 | EFF4 37F6 4080 9BA2 8B4B 20             | ..7.@....K

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.