The Latest in IT Security

Little Red Ramnit: My, what big eyes you have, Grandma!


This month’s addition to MSRT is Win32/Ramnit. Having been discovered in April 2010, the family is relatively new, however, the authors of Ramnit seem to have a preference for using an older generation of malicious techniques.

Whilst there are still a number of parasitic file infectors in the wild, the total number of malware families employing such a technique is relatively small. Like many of file infectors which preceding it, Win32/Ramnit contains functionality to infect Windows PE files with extensions matching “.EXE”, “.SCR” and “.DLL”. In addition to infecting PE files, Ramnit also has the ability to infect HTML files, appending a small fragment of VBScript (Visual Basic Script) in order to drop and execute a Win32/Ramnit installer.

Finally, whilst I was analyzing a variant of Ramnit in March this year, I was intrigued to encounter functionality which implemented Office file infection.

Image 1 - hex editor view of Office infection code

Image 1 – hex editor view of Office infection code

This particular variant of Win32/Ramnit would search both fixed and removable drives for files with “.DOC”, “.DOCX” or “.XLS” extensions to infect. It is worth noting, the functionality has since been removed from the latest variants. In each of these three cases, the code which is inserted in the target file has the same underlying functionality. It simply drops and executes an installer for Win32/Ramnit.

It is interesting to see that malware authors continue to experiment with both old and new techniques. Your trusty neighborhood MMPC team, combined with our antimalware technologies, stand vigilant against the threat of malicious software.


Scott Molenkamp

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments