Saturday, January 07, 2012

Rammit, Ramnit!

The quickly-spread Ramnit worm (affecting Windows 9x, 2000, XP, Vista, Windows 7) steals Facebook passwords and hijacks Facebook accounts. The worm, about to reach "epidemic" status, launches threatening posts to your entire list of friends. These posts may look harmless, but they contain malicious links that spread the threat to your friends.

Threat Level: Critical

Ramnit worm Infection Symptoms

* Google, Yahoo Searches are redirected. Desktop background image and Browser homepage settings are changed. This is a common symptom of a very serious Ramnit worm infection.

* Ramnit worm slows down your computer considerably and you will feel like your computer is stuck. This includes opening programs, shutting down your computer, and slow Internet.

* You will get many unwanted pop ups. Ramnit worm corrupts your windows registry and uses it to deploy annoying pop up ads out of nowhere.

W32.Ramnit.B is a windows-based virus that spreads by making copies of itself via network and removable USB drives. It accomplishes this by creating an Autorun.inf file on the root directory of the compromised drive/s, making W32.Ramnit.B run when accessing or opening a flash drive or a network drive. Once the worm is awakened, it scans the targeted drive for .exe, .dll and .html files to infect.

Warming: WORM/Ramnit.A.20.worm is nothing to shrug off or ignore: it is quite a malicious item crafted to allow remote access to your PC or laptop to largely occupy precious system resource, trace your Internet habits and record/steal your passwords and other personal information.

Ok, so what do you do?

• 1 Disable System Restore (Windows ME and XP users only) Right click My Computer → Properties → System Restore tab → Put a check mark on Turn off system restore on all drives box → Restart Computer

• 2 Terminate the following Processes files (Right click taskbar → open Task Manager → click Processes tab → right click on the identified worm → End Process)



• 3 Delete the worm added registry value (Start → run → type regedit → User Account Control (UAC) will ask you if you want to allow the following program to make changes to the computer → click Yes)

24C2&SUBSYS_013A1028&REV_01\3&172e68dd&0&E8\Device Parameters\”DetectedLegacyBIOS” = “1″

• 4 Restore the original registry value

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Userinit” = “%system%\userinit.exe,,c%ProgramFiles%\microsoft\watermark.exe”

{Disclaimer: Registry modification is done at your own risk. Backup the registry before making any changes!}

• 5 Show Hidden Files and Folders (Open My Computer → Tools → Folder Options → View Tab → click show hidden folders, files and drives. Uncheck hide operating systems files. Click OK)

• 6 Delete the listed Infected Files

%DriveLetter%\Copy of Shortcut to (4).lnk
%DriveLetter%\Copy of Shortcut to (3).lnk
%DriveLetter%\Copy of Shortcut to (2).lnk
%DriveLetter%\Copy of Shortcut to (1).lnk

• 7 Reboot your machine!


  • It is possibly for WORM/Ramnit.A.20.worm to load by hiding within the system WIN.INI file and the strings "run=" and "load=". So you must check carefully in order to thoroughly remove it from your computer.
  • It is necessary for you t clean the IE temporary files where the original carrier may store.
Tags: ,

Show Comments: OR


  1. I never really understood why some people create viruses to cause grief to others. Thank you for sharing, this is the first time I have heard of this one!

  2. infecting by W32.Ramnit.B is annoying but if our windows have one of big kind of antivirus brand, i think that can protect our windwos before that be more bad later.


Per comment rate: $2
Payable by either clicking the BitCoin "tip me" button or the PayPal "donate" button in the sidebar.

Because, like the fine publication Tablet, whom I borrowed this concept from, I too am committed to bringing you the best, smartest, most enlightening and entertaining reporting and writing I'm able to provide, all free of charge. I take pride in my loyal readership, and I'm thrilled that you choose to engage with me in a way that is both thoughtful and thought-provoking. But the Internet, for all of its wonders, poses challenges to civilized and constructive discussion, allowing vocal—and, often, anonymous—minorities to drag it down with invective (and worse).

I'm asking people who'd like to post comments on my blog to pay a nominal fee—less a paywall than a gesture of your own commitment to the cause of great conversation. All proceeds go to helping me bring you the provocative and/or entertaining articles that brought you here in the first place.

Readers can still interact with me FREE of charge via Facebook comments and Google+ comments! You can also reach me via Twitter @davelucas

I hope this new largely symbolic measure will help create a more pleasant and cultivated environment for all! Those of you who choose to contribute, thanks for your support.


Your comment will appear after you have made your donation.

All IP addresses are logged.

Your comment will not appear immediately as all messages are vetted before publication.

PS - Any more questions? Check out my Policy & Terms of Use FAQ!

Related Posts Plugin for WordPress, Blogger...
Web Analytics