Friday, December 2, 2011

W32/Ramnit.C Quick Analysis

I just received a laptop from a friend of mine that heavily infected with multiple viruses. I don't know how he can comfortably using it for few months until he felt so many annoying activities coming from the viruses. One of my interesting sample to be quickly analyze is W32/Ramnit. Based on few security blogs that I found this malware has been already discovered around April 2010. Let's check it out.

At the first detection I was notice that a lot of infections is coming from the HTML files (as Avira detecting so many HTML infection).

The HTML files contains a small VB Script that carrying embedded EXE files in Hex format that will drop in Windows temporary folder once user opening the infected HTML in their browser (only IE6 support VBScript). At the end of the infected HTML files seem to be a random garbage character in attempt to prevent a static size of HTML files.

Once the EXE file has been dropped, it will automatically execute the file. The EXE is about 108,032 bytes sizes (9B49FEC7E03C33277F188A2819B8D726). I'll explain quick going through what is the characteristic of the EXE file. The EXE has been compressed with UPX 3.03. Upon execution the following routine will be started:

  • Search for EXE, DLL and  HTML file extensions.

  • Infect all EXE and DLL by creating additional .text section on the PE file.

  • Infect HTML files by overwriting it with VBScript and Hexdecimal format of the EXE file.

The infected PE file will be create an additional PE sections called .text as shown on image below:

A large size of additional .text section (about 540kb) created which is contains a malicious code. The EP has been modify to execute malicous code first and point it back to actual EP to execute original code.

Manual cleaning for this type of malware probably impossible for end-user. Mass infection on users PC make it difficult to remove. The best way to fix it is either using NOD32  On-Demand Scanner (Portable) or format your Hard drive and installing new Windows.

No comments:

Post a Comment