Submission Summary:

• Submission details:
• Submission received: 15 June 2017, 04:28:16
• Processing time: 5 min 57 sec
• Submitted sample:
• File MD5: 0x6D3B810632D77EAF0863E4AC303BB47E
• File SHA-1: 0x83C966D34DC046F52220379AC0F3546DE8E490BD
• Filesize: 180,224 bytes
• Alias:
• W32.Ramnit!inf [Symantec]
• Virus.Win32.Nimnul.a [Kaspersky Lab]
• W32/Ramnit.a [McAfee]
• W32/Patched-I [Sophos]
• Virus:Win32/Ramnit.A [Microsoft]
• Win32.SuspectCrc [Ikarus]
• Win32/Ramnit.B [AhnLab]

• Summary of the findings:

What's been found	Severity Level
Capability to block security-related software by modifying firewall settings and by disabling security services, such as Windows Update, Norton Autoprotect, Kaspersky Anti-Virus, etc.
Produces outbound traffic.
There were some system executable files modified, which might indicate the presence of a PE-file infector.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! The following threat category was identified:

Threat Category	Description
	A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%System%\nannaa.exe [file and pathname of the sample #1]	180,224 bytes	MD5: 0x6D3B810632D77EAF0863E4AC303BB47E SHA-1: 0x83C966D34DC046F52220379AC0F3546DE8E490BD	W32.Ramnit!inf [Symantec] Virus.Win32.Nimnul.a [Kaspersky Lab] W32/Ramnit.a [McAfee] W32/Patched-I [Sophos] Virus:Win32/Ramnit.A [Microsoft] Win32.SuspectCrc [Ikarus] Win32/Ramnit.B [AhnLab]
2	%System%\nannaaSrv.exe [part of the sample filename]1Srv.exe	85,713 bytes	MD5: 0xC5C99988728C550282AE76270B649EA1 SHA-1: 0x113E8FF0910F393A41D5E63D43EC3653984C63D6	W32.Virut.CF [Symantec] Packed.Win32.Krap.hm [Kaspersky Lab] PWS-Zbot.gen.pq [McAfee] Mal/Agent-IE [Sophos] Virus.Win32.Virut [Ikarus]

• Note:
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

• The following files were modified:
• [pathname with a string SHARE]\msinfo32.exe
• [pathname with a string SHARE]\sapisvr.exe
• %ProgramFiles%\Internet Explorer\Connection Wizard\icwconn1.exe
• %ProgramFiles%\Internet Explorer\Connection Wizard\icwconn2.exe
• %ProgramFiles%\Internet Explorer\Connection Wizard\icwrmind.exe
• %ProgramFiles%\Internet Explorer\Connection Wizard\icwtutor.exe
• %ProgramFiles%\Internet Explorer\Connection Wizard\inetwiz.exe
• %ProgramFiles%\Internet Explorer\Connection Wizard\isignup.exe
• %ProgramFiles%\Internet Explorer\iedw.exe
• %ProgramFiles%\Internet Explorer\IEXPLORE.EXE
• %ProgramFiles%\MSN\MSNIA\msniasvc.exe
• %ProgramFiles%\MSN\MSNIA\prestp.exe
• %ProgramFiles%\MSN\MsnInstaller\msninst.exe
• %ProgramFiles%\NetMeeting\cb32.exe
• %ProgramFiles%\NetMeeting\conf.exe
• %ProgramFiles%\NetMeeting\wb32.exe
• %ProgramFiles%\Outlook Express\msimn.exe
• %ProgramFiles%\Outlook Express\oemig50.exe
• %ProgramFiles%\Outlook Express\setup50.exe
• %ProgramFiles%\Outlook Express\wab.exe
• %ProgramFiles%\Outlook Express\wabmig.exe
• %ProgramFiles%\Web Publish\WPWIZ.EXE
• %ProgramFiles%\Windows Media Player\migrate.exe
• %ProgramFiles%\Windows Media Player\mplayer2.exe
• %ProgramFiles%\Windows Media Player\setup_wm.exe
• %ProgramFiles%\Windows Media Player\wmplayer.exe
• %ProgramFiles%\Windows NT\Accessories\wordpad.exe
• %ProgramFiles%\Windows NT\dialer.exe
• %ProgramFiles%\Windows NT\hypertrm.exe
• %ProgramFiles%\Windows NT\Pinball\PINBALL.EXE
• %Windir%\Cache\Adobe Reader 6.0.1\ENUBIG\setup.exe
• %Windir%\hh.exe
• %Windir%\inf\unregmp2.exe
• %Windir%\Installer\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}\places.exe
• %Windir%\Microsoft.NET\Framework\NETFXSBS10.exe
• %Windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
• %Windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe
• %Windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe
• %Windir%\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
• %Windir%\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
• %Windir%\Microsoft.NET\Framework\v2.0.50727\IEExec.exe
• %Windir%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
• %Windir%\Microsoft.NET\Framework\v2.0.50727\jsc.exe
• %Windir%\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
• %Windir%\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
• %Windir%\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
• %Windir%\msagent\agentsvr.exe
• %Windir%\mui\muisetup.exe
• %Windir%\NOTEPAD.EXE
• %Windir%\pchealth\helpctr\binaries\HelpCtr.exe
• %Windir%\pchealth\helpctr\binaries\HelpHost.exe
• %Windir%\pchealth\helpctr\binaries\HelpSvc.exe
• %Windir%\pchealth\helpctr\binaries\HscUpd.exe
• %Windir%\pchealth\helpctr\binaries\msconfig.exe
• %Windir%\pchealth\helpctr\binaries\notiflag.exe
• %Windir%\pchealth\UploadLB\Binaries\UploadM.exe
• %Windir%\regedit.exe
• %System%\accwiz.exe
• %System%\actmovie.exe
• %System%\ahui.exe
• %System%\arp.exe
• %System%\asr_fmt.exe
• %System%\asr_ldm.exe
• %System%\asr_pfu.exe
• %System%\at.exe
• %System%\atmadm.exe
• %System%\attrib.exe
• %System%\auditusr.exe
• %System%\blastcln.exe
• %System%\bootcfg.exe
• %System%\bootok.exe
• %System%\bootvrfy.exe
• %System%\cacls.exe
• %System%\calc.exe
• %System%\charmap.exe
• %System%\chkdsk.exe
• %System%\chkntfs.exe
• %System%\cidaemon.exe
• %System%\cipher.exe
• %System%\cisvc.exe
• %System%\ckcnv.exe
• %System%\cleanmgr.exe
• %System%\clean_all.exe
• %System%\cliconfg.exe
• %System%\clipbrd.exe
• %System%\clipsrv.exe
• %System%\cmd.exe
• %System%\cmdl32.exe
• %System%\cmmon32.exe
• %System%\cmstp.exe
• %System%\Com\comrepl.exe
• %System%\Com\comrereg.exe
• %System%\comp.exe
• %System%\compact.exe
• %System%\conime.exe
• %System%\control.exe
• %System%\convert.exe
• %System%\cscript.exe
• %System%\ctfmon.exe
• %System%\dcomcnfg.exe

• Notes:
• %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
• %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

• The following directories were created:
• c:\System Volume Information\.
• c:\System Volume Information\..

Memory Modifications

• There were new processes created in the system:

• There was a new service created in the system:

Registry Modifications

• The following Registry Keys were created:
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINHELP32
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINHELP32\0000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINHELP32\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinHelp32
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinHelp32\Security
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinHelp32\Enum
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINHELP32
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINHELP32\0000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINHELP32\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinHelp32
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinHelp32\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinHelp32\Enum

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINHELP32\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "WinHelp32"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINHELP32\0000]
• Service = "WinHelp32"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "Windows Help System"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINHELP32]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinHelp32\Enum]
• 0 = "Root\LEGACY_WINHELP32\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinHelp32\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinHelp32]
• Type = 0x00000010
• Start = 0x00000002
• ErrorControl = 0x00000000
• ImagePath = "%System%\nannaa.exe"
• DisplayName = "Windows Help System"
• ObjectName = "LocalSystem"
• Description = "Windows Help System for X32 windows desktop"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINHELP32\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "WinHelp32"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINHELP32\0000]
• Service = "WinHelp32"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "Windows Help System"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINHELP32]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinHelp32\Enum]
• 0 = "Root\LEGACY_WINHELP32\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinHelp32\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinHelp32]
• Type = 0x00000010
• Start = 0x00000002
• ErrorControl = 0x00000000
• ImagePath = "%System%\nannaa.exe"
• DisplayName = "Windows Help System"
• ObjectName = "LocalSystem"
• Description = "Windows Help System for X32 windows desktop"

• The following Registry Values were modified:
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
• (Default) =
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
• (Default) =

Other details

• Analysis of the file resources indicate the following possible countries of origin:

	China
	Russian Federation

• To mark the presence in the system, the following Mutex objects were created:
• KyUffThOkYwRRtgPP
• WinHelp32

• The following port was open in the system:

• The following Host Names were requested from a host database:
• 157.52.160.68
• ilo.brenz.pl
• exevlw.com
• ejpsun.com
• bgxoom.com
• xvgmal.com
• vhuydo.com
• yracnr.com
• yetpar.com
• yawopg.com
• iozqml.com
• shhugt.com
• bfazxu.com
• ant.trenz.pl
• xbodab.com
• dkcyeg.com
• ypmpie.com
• etngio.com
• aysziu.com
• irbueh.com
• bisaao.com
• gbpnpw.com
• cwijov.com
• ssrabe.com
• dkfolt.com
• eezvam.com
• oyqgiz.com
• rofmlj.com
• fcebaq.com
• fvyezo.com
• puayjc.com
• vowdom.com
• cscuad.com
• poidcg.com
• xwlglu.com
• eiwsmu.com
• onslrb.com
• dhpxto.com
• diasou.com
• vsstui.com
• qpexiy.com
• fotlce.com
• khuofe.com
• euyenc.com
• osvkuh.com
• sazfic.com
• gtmugz.com
• ymqagh.com
• yvfyih.com
• rataex.com
• bnvebf.com
• eafgyk.com
• uwmdoi.com
• krqaqy.com
• emddcw.com
• ewervk.com
• edtffx.com
• cwuluh.com
• pmejur.com
• gwotxr.com
• argsly.com
• maxagw.com
• gbauwe.com
• pwukqb.com
• ojfbgp.com
• pptijm.com
• aifnop.com
• uevyha.com
• kflzyv.com
• pagdan.com
• sgimey.com
• kmuaeb.com
• pmfina.com
• mlwhbv.com
• tyfqrz.com
• oalsvf.com
• miopzu.com
• sweiuh.com
• psmagw.com
• egiqxi.com
• excqaa.com
• tfpoxz.com
• gxkowk.com
• ccumpe.com
• gstlmx.com
• zxcawz.com
• ucisyy.com
• oyvzbu.com
• ycjscm.com
• ghqrqg.com
• optryf.com
• chfoon.com
• uoyhhd.com
• nbzudn.com
• eiioci.com
• kivzey.com
• eyuuwy.com
• ygizyg.com
• awejdf.com
• tyxxoy.com

• There were registered attempts to establish connection with the remote hosts. The connection details are:

Outbound traffic (potentially malicious)

• There was an outbound traffic produced on port 8000:

• There was an outbound traffic produced on port 443: