A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2480  by Buster_BSA
 Sat Aug 28, 2010 9:44 pm
You talk about 4 variants (A B C D) but Kaspersky is detecting that one as "ani" which means they detect tons of variants.
 #2481  by SecConnex
 Sat Aug 28, 2010 10:35 pm
Yep. They detect tons of them.
 #2626  by ConanTheLibrarian
 Fri Sep 03, 2010 2:11 pm
I apologize, there seems to be some confusion on my end whether this infection actually patches .exe's or not. I know it patches .html files with vbscript (have seen this myself). I am getting mixed messages on whether or not the infection patches legitimate .exe's like Virut.BM did.

Can anybody answer that has studied this? Thanks in advance.
 #3161  by ConanTheLibrarian
 Wed Oct 20, 2010 4:02 pm
Has anyone seen a detection tool that simply detects the presence of the virus? We have had to make our own detection tools and they are not as robust as they could be. We need to be able to use the tool freely without having to pay for it or get into a contract. Thanks in advance.
 #3163  by SecConnex
 Wed Oct 20, 2010 6:05 pm
Kaspersky Virus Removal Tool
Dr. Web CureIt.
Norman Malware Cleaner
ESET Online Scan
Kaspersky Online Scan
 #3302  by Quads
 Wed Nov 03, 2010 11:17 pm
Norton will also now (actually be a few weeks) remove the vscript from the .htm(l) files without deleting the .htm(l) files, so the file is back to a pre Ramnit state.

The only thing is if the "desktoplayer.exe" running is one that is not detected, you just end up going around in circles, .exe, .dll and .htm(l) files cleaned, desktoplayer still running so just reinfects the .exe, .dll and .htm(l) files again, around and around we go.

Quads
 #3607  by Quads
 Sat Nov 20, 2010 1:54 am
It Ramnit

ProgramFiles\Microsoft\WaterMark.exe instead of the Desktoplayer.exe for the Winlogon entry

Norton = W32.Ramnit.B!inf

Quads
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7
  • 10