Virus:W32/Ramnit is no stranger to many malware analysts/researchers, as it was in the wild back in 2010.
Other malware researchers have blogged about the technical details of this interesting virus (here and here, for example); however there are still some noteworthy techniques — and an “easter egg” — waiting to be discovered.
One of the interesting techniques is the injection method that Ramnit uses. This differs from the traditional method, in which a virus would create a suspended thread and inject code using a memory writing Windows API function, then resume the suspended thread after the injection is done.
In this case, what makes Ramnit different is that it calls a Windows API function to spawn a new process, either the default web browser process or the Generic Host Process for Win32 Services, also known as svchost.exe. By injecting into this newly spawned process, the code is not visible to users and able to bypass the firewall.
Before this happens though, Ramnit installs an inline hook in an undocumented Windows native system service called Ntdll!ZwWriteVirtualMemory. The picture below depicts how this injection works:
The hooked Windows native system service redirects the code execution flow to the module defined in the caller process to perform the code injection routine. The injected code in the new process includes the capability for file infection (Windows executable and HTML files), as well as backdoor and downloader functionalities.
Another noteworthy detail in Ramnit is its “easter egg”, found in the DLL that it injects to the processes mentioned above. The code snapshot below should explain everything:
Basically, this easter egg navigates to the registry key and looks for “WASAntidot”:
When we try to create “WASAntidot” registry key on a test machine, we see this:
Voila! The machine is safe from Ramnit infection now!
Threat Solutions post by — Wayne
On 08/04/11 At 08:42 AM
Related Posts
- Another nasty trick in malicious PDF
A new method of producing malicious PDF files has been discovered by the avast! Virus Lab team. The new method is more than a specific, patchable vulnerability; it is a trick that enables the makers o... - Account drainers and other virus threats of February 2011
March 2, 2011
The main malicious trends of the previous months persisted in February. Windows blockers and banking password stealers, where the latter ones worked together with fake anti-viruses, cons... - Virus uses Antivirus?
Usually, if we talk about virus and antivirus, it is more or less connected with detections. So if I say a malware uses antivirus to do bad things, will that be interesting?
Recently, AVG caught a kin... - Identity Theft Affects Virus Writers, Too
Lots of people have web-based e-mail addresses, such as Hotmail, Live, or Gmail. Some of these addresses are used as "throw away" accounts, and abandoned once they are no longer nee... - Search Engine Redirection Malware – How it works (and how to fix it)
Search engine redirection is usually one of the side effects of malicious software. This problem remains even after Trojans or fake antivirus are removed from the infected system. No matter what... - First epidemic in 2010 and other virus events of January
February 1, 2010
In January 2010 a large number of user requests regarding neutralization of active infections related to Trojan.Winlock programs while the vast majority of fraud schemes employed by ... - Trojan.Oficla uses office application file to hide itself and forms botnet
March 24, 2010
Doctor Web — the leading Russian anti-virus vendor — issues a warning for users as Trojan.Oficla programs spread widely over the Internet with the number of their detections per week ... - Virus news of August 2010
September 3, 2010
The last month of summer abounded with virus news. It saw the forecast for a 64-bit Windows rootkit come true, the emergence of new modifications of malware for Android, and a surge... - Politics and fraud: virus events of September 2010
October 4, 2010
September saw an overwhelming number of news posts proclaiming the start to a cyber war sparked by Trojan.Stuxnet and providing suggestions as to what the virus maker’s goals might be... - Egypt Blocks Twitter as Protests Spread Across Country
Tunisia’s “Twitter revolution” must have Egypt’s rulers worried. Reports came in Tuesday (Jan. 25) that access to the popular microblogging service was blocked even as thousands demonstrated in the st...
Posted on 10 April 2011. Tags: Blocks, itself, virus
The above information is reprinted from and copyrighted © by F-Secure.
