Immunizing Flash Drives from Ramnit
You probably ever heard of Ramnit. It's a persistent and potentially dangerous rootkit, worm, spyware, virus which attacks Windows OS and injects .exe and .html files.This Ramnit, usually infect flash drives almost instantly after the drive is inserted into the infected computers, and infect clean computers from the flash drive (in case of you dont understand vice versa here.). It also can deploy backdoors.
First, i will explain it's characteristics to make you understand better.
If you aren't too pleasant with these, skip it.
- The Mother of Ramnit is the Watermark.exe. It's located on C:\Program Files\Microsoft and very hard to get rid of it.
- Ramnit always creates random-named .exe files in infected flash drives' RECYCLER folder
- Ramnit also creates persistent Copy of Shorcut to (1) to (4) files, in the flash drives from the RECYCLER.
- Creates a duplicate file with "mgr" in it's name of infected .exe files.
- Runs browser in background.
- Makes your computer can't be trusted again.
- Blocks Flash Drive access and changes it's icon into a folder icon.
To immunize your Flash Drive, first we need to clean it first. Cleaning it can be done by cleaning any computer with the drive inserted. PCMAV's Ramnit killer can kill 98++ percent of those viruses.
- To download it, click here.
- Note : Run in safe mode, i recommend from a CD-ROM to avoid injection.
- Cut every internet connection you have. That includes LAN or everything else.
- Avoid doing contact with your computer, as few as possible.
- Restart.
- Rescan twice or thrice after restarting while still in safe mode.
- Search for "file infected" in it's log.
- Erase the designated files (if any)
- To download it, click here.
- Burn it to a CD, obviously on a clean / non-Windows computer.
- Boot the computer using the CD.
- Choose "Dr.Web LiveCD (Default)"
- Wait until the interface shows up.
- Choose the location of drive that you want to scan, and make sure you have checked “Scan subdirectories” option. If Dr.Web Scanner screen doesn't show up double click Dr.Web Scanner on the desktop.
- Start scan by clicking start.
- Wait until the scanning is finished.
- Clean the viruses by selecting all the infected files then click cure button.
- Rescan the computer.
Now, as promised, WE'LL IMMUNIZE THE DRIVES!!! +immunizing the computer from the mother too.
These tips won't repel the Ramnit completely, and newer versions of Ramnit that haven't been encountered probably can bypass it.
Tip #1 - Killing the Branch.
You can erase the RECYCLER and Copy of Shortcut to's simultaneously. (This may clean the drive at a very, very low odds.) This will buy some seconds of time. Then create their dummy files, so Ramnit won't be able to infect them. You can do this by creating five extensionless files and rename them into RECYCLER and Copy of Shortcut to's.
You can also make the RECYCLER folder read-only using HxD.
- Download here.
- Run HxD.
- Open disk and select the flash drive. Don't check "Open as read only".
- Ctrl - F and search for RECYCLER.
- Change the value in the 5th row (from right) from 00 to 60.
- Ctrl - S (save).
You can also protect the autorun.inf, using HxD too.
- Run HxD.
- Open disk and select the flash drive. Don't check "Open as read only".
- Ctrl - F and search for autorun.inf.
- Change the value in the 5th row (from right) from 20 to 40.
- Ctrl - S (save).
Kill the mother, get rid of her sons. C:\Program Files\Microsoft\Watermark.exe won't be erased easily, so use RamnitKiller or file deleter sware like FileAssassin, etc.. Once the mother is dead, create a dummy of it with .exe as its extension. Better do this in Safe Mode.
Credits :
http://doel-info.blogspot.com
http://blogurutanpertama.blogspot.com
http://bablashot.blogspot.com
Tidak ada komentar:
Posting Komentar