Variant: W32.Ramnit.B
Operating Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
W32.Ramnit.B is a computer worm virus that spreads by copying itself through network and removable USB drives. Its mode of replication is by creating an Autorun.inf file on the root directory of the compromised drive/s, making W32.Ramnit.B run when accessing or opening a flash drive or a network drive. Once the worm is activated, it scans the targeted drive for .exe, .dll and .html files to infect.
• Disable System Restore (Windows ME and XP users only) Right click My Computer → Properties → System Restore tab → Put a check mark on Turn off system restore on all drives box → Restart Computer
• Terminate the following Processes files (Right click taskbar → open Task Manager → click Processes tab → right click on the identified worm → End Process)
%DriveLetter%\RECYCLER\S-6-8-78-6074043183-3137731366-826674213-1246\PdCMovQB.exe
%ProgramFiles%\Microsoft\WaterMark.exed\
• Delete the worm added registry value (Start → run → type regedit → User Account Control (UAC) will ask you if you want to allow the following program to make changes to the computer → click Yes)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_
24C2&SUBSYS_013A1028&REV_01\3&172e68dd&0&E8\Device Parameters\”DetectedLegacyBIOS” = “1″
• Restore the original registry value
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Userinit” = “%system%\userinit.exe,,c%ProgramFiles%\microsoft\watermark.exe”
{Disclaimer: Registry modification is done at your own risk. Backup the registry before making any changes!}
• Show Hidden Files and Folders (Open My Computer → Tools → Folder Options → View Tab → click show hidden folders, files and drives. Uncheck hide operating systems files. Click OK)
• Delete the listed Infected Files
%DriveLetter%\Copy of Shortcut to (4).lnk
%DriveLetter%\Copy of Shortcut to (3).lnk
%DriveLetter%\Copy of Shortcut to (2).lnk
%DriveLetter%\Copy of Shortcut to (1).lnk
%DriveLetter%\autorun.inf
%DriveLetter%\RECYCLER\S-6-8-78-6074043183-3137731366-826674213-1246\tYZldSpD.cpl
%DriveLetter%\RECYCLER\S-6-8-78-6074043183-3137731366-826674213-1246\PdCMovQB.exe
%System%\dmlconf.dat
%ProgramFiles%\Microsoft\WaterMark.exe
• Reboot the computer
• Update definition files and Run Anti-Virus system scan