Ramnit evolves into a financial malware (Aug 25, 2011)


SonicWALL UTM Research team received reports of a new variant of Ramnit malware spreading in the wild.

The Ramnit malware family is known for following capabilities:

  • File infector: infects files with EXE, DLL, SCR, HTM and HTML extensions by appending its code.
  • Network propagation: Spreads via network shares and USB devices.
  • Backdoor: Creates a backdoor where it can receive remote instructions.
  • Steals FTP credentials and browser cookies.

The latest variant also incorporates Zeus-like Man-in-the-Browser (MitB) web inject functionality to steal Online Banking credentials. It is highly likely that some modules of the Zeus source code (leaked earlier this year) have been integrated into it.

The sample under investigation performs following activities on the infected system:

  • Creates a copy of itself as (Local Settings)Tempdbsoowwjviewtmlp.exe (random filename generated per system).
  • Initiates two instances of svchost.exe processes and injects code into it.
  • Infects executable files having .EXE and .DLL extensions by appending malicious code to the files. Below is a sample list of files under Program Files that were infected:
    • AdobeReader 9.0ReaderLogTransport2.exe
    • AdobeReader 9.0Readerpe.dll
    • AdobeReader 9.0Readersqlite.dll
    • Common FilesAdobeAcrobatActiveXAcroIEHelper.dll
    • Common FilesAdobeAcrobatActiveXAcroPDF.dll
    • Common FilesAdobe AIRVersions1.0Resourcestemplate.exe
    • Common FilesJavaJava Updatejusched.exe
    • Common FilesMicrosoft SharedMSDesigners7MSVCP71.DLL
    • Common FilesMicrosoft SharedOFFICE11MSO.DLL
    • Common FilesMicrosoft SharedOFFICE11MSSOAP30.DLL

    The infected executable files will have an additional section containing malicious code:


  • Makes registry modifications to launch itself upon system reboot. It also disables the Windows Safe Mode feature by deleting registry keys from following locations:
    • HKLMSYSTEMControlSet001ControlSafeBootMinimal
    • HKLMSYSTEMControlSet001ControlSafeBootNetwork
    • HKLMSYSTEMCurrentControlSetControlSafeBootMinimal
    • HKLMSYSTEMCurrentControlSetControlSafeBootNetwork

    Subsequent attempts to reboot infected system in Safe Mode will result in Blue Screen of Death (BSoD) crash.


  • Opens a backdoor Secure FTP server on TCP port 22 on the infected system.


  • Connects to a remote C&C server at carr(REMOVED)ezz.com using SSL connection to receive instructions.

SonicWALL Gateway AntiVirus provides protection against this threat via following signatures:

  • GAV: Ramnit.D (Trojan)
  • GAV: Ramnit.D_2 (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.