This month’s addition to MSRT is Win32/Ramnit. Having been discovered in April 2010, the family is relatively new, however, the authors of Ramnit seem to have a preference for using an older generation of malicious techniques.
Whilst there are still a number of parasitic file infectors in the wild, the total number of malware families employing such a technique is relatively small. Like many of file infectors which preceding it, Win32/Ramnit contains functionality to infect Windows PE files with extensions matching “.EXE”, “.SCR” and “.DLL”. In addition to infecting PE files, Ramnit also has the ability to infect HTML files, appending a small fragment of VBScript (Visual Basic Script) in order to drop and execute a Win32/Ramnit installer.
Finally, whilst I was analyzing a variant of Ramnit in March this year, I was intrigued to encounter functionality which implemented Office file infection.
Image 1 – hex editor view of Office infection code
This particular variant of Win32/Ramnit would search both fixed and removable drives for files with “.DOC”, “.DOCX” or “.XLS” extensions to infect. It is worth noting, the functionality has since been removed from the latest variants. In each of these three cases, the code which is inserted in the target file has the same underlying functionality. It simply drops and executes an installer for Win32/Ramnit.
It is interesting to see that malware authors continue to experiment with both old and new techniques. Your trusty neighborhood MMPC team, combined with our antimalware technologies, stand vigilant against the threat of malicious software.
Scott Molenkamp
Leave a reply
