Win32/Ramnit.A

[AtYourService]

I had a non-bootable computer infected with a rootkit it wouldnt get detected from live cd, and the computer would bluescreen as soon as it hit the desktop, finally decided to reformat.

my mistake, but when I backed up the files , i saved the drivers folder
and used the install to get the nic working, without scanning the file first


that let loose a ****-stream of virus laden dlls injecting into every executable and dll on the system, Win32/Ramnit.A this is the worst virus i've seen infecting files since virut.

gotta backup and reformat again,fun times.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm:Win32/Ramnit.A

http://www.microsoft.com/security/p...edia/Entry.aspx?Name=Virus:Win32/Ramnit.A!dll

 

[PcTek9]

a client has a small system that has to stay internet connected and run a software program and be exposed to web...

after it got virut and more worser things, i went and made a bootable windows cd with their software. LOL.

now if they get a virus on it i just restart the pc and leave the cd in the cd tray, p.s. no hard disk. LOL.

 

[AtYourService]

ok i low level formatted the hdd
reinstalled AGAIN, the only thing i did was transfer newly downloaded drivers from a thumbdrive to the computer, this thumbdrive was scanned prior to using it

im still getting a rootkit and the Ramnit infection wtfork?

 

[ATTech]

ok i low level formatted the hdd
reinstalled AGAIN, the only thing i did was transfer newly downloaded drivers from a thumbdrive to the computer, this thumbdrive was scanned prior to using it

im still getting a rootkit and the Ramnit infection wtfork?

Then there is only a few possibilities:
- The installation source you are using is compromised.
- Your flash drive is infected
- You're doing something else that you haven't mentioned.

Assuming the last option is not the case, try using another means for getting the drivers onto the system.

 

[AtYourService]

well it seems like i cleaned it out enough

i was about to burn the drivers to a cd to transfer them

I scanned my thumbdrive and it had no issues
im gonna try a few different scanners on it just in case

i didnt execute any files from his back up and I cleaned out any exes/dlls from the backup

 

[RyanMeray]

Win32/Ramnit.A this is the worst virus i've seen infecting files since virut.

*shivers*

Memories of fighting virut keeps me up at night. It's the stuff of nightmares. I don't want to encounter something worse than that one.

 

[iladelf]

How about BIOS or MBR? Could be coming back through either, possibly.

And I second Ryan's comment; nuke and pave, baby. For the virut infections I've seen, it was the only solution (all possibles tried, including Kaspersky and Dr Web boot CD failed).

 

[iisjman07]

How about BIOS or MBR? Could be coming back through either, possibly.

Well in normal circumstances it could be the mbr, but At Your Service said he low level formatted the hard drive, so that'd wipe the mbr (and everything else on the disk). BIOS infections usually require a piece of malware to be specifically coded for that mobo series, so that is very unlikely (and I have ever seen one and I live for malware)

 

[RyanMeray]

How about BIOS or MBR? Could be coming back through either, possibly.

And I second Ryan's comment; nuke and pave, baby. For the virut infections I've seen, it was the only solution (all possibles tried, including Kaspersky and Dr Web boot CD failed).

Yep, since Virut actually messed up files altogether, and did so extremely liberally, there was no good fix besides the nuclear option. The OS, the programs, and everything was just too damaged to get functional even if you did remove all traces of it.

I've only had a handful of Virut cases, but man those sucked.

 

[Xander]

Virut is, so far, the only thing on my list for "Infections Where I Stop Trying to Disinfect and Prep for Nuking". I got careless on one system (no symptoms) and some files jumped to my flash drive. Fortunately, my AV spotted it. Wiped it clean and just recopied from my backup.

 

[Martyn]

Just got a HP Pavillion in with this. What a nightmare. Symptoms were no internet(IE wouldn't run) nor would Windows updates. Took it offline and did the usual scans with Malwarebytes which dramatically slowed down after a couple of hours to checking a file every few seconds but found 26 infections. Decided to slave it last night and scan with KIS which found 350 infected dll files and others within 6% of the drive Kaspersky indentifies it as Nimnum.a which is a blanket name it appears of Ramnit.a & Ramnit.b.

Will update later but with the damage done it looks like a N&P.

Anyone else had this one?

 

[Xander]

Only 350? The one Ramnit I had (last post above, I think it was), had probably thousands. I was boot-scanning with Avast and every other file was infected. Disinfectable, but infected. If the customer hadn't begged me not to nuke....

 

[MobileTechie]

I've had Ramnit infections with over 30,000 infected files. It infects html files.

 

[Martyn]

350 with only 6% of the drive done. I then turned it off and went to bed.

 

[ZenTree]

The eset online scanner seems to have good detection rates on this one if that helps

 

[Martyn]

The eset online scanner seems to have good detection rates on this one if that helps

Thanks did you n&p after you found it because it looks like there is no other option with the way it has spread?

 

[othersteve]

Just got finished with a Win32/Sality infection around two weeks ago. It was a lot of trouble at first; I generally am wise enough to check for file infectors when the signs indicate a possible issue, but I forgot, and it infiltrated my toolkit. Luckily, I produce near-daily images of it, so I simply restored it, updated the tools, rebooted the machine to an offline OS, and ran DrWeb's scanner to cure the files. Beyond that I performed an OTL scan/fix, rebooted into Windows, and ran a final few scans with ESET and finally Microsoft Security Essentials. All was well after that, and a bit of settings repair!