Multi-License Discount Quote

Change Region

English
Threat Database Trojans Virus.Ramnit.I

Virus.Ramnit.I

By Sumo3000 in Trojans

Threat Scorecard

Popularity Rank: 11,110
Threat Level: 80 % (High)
Infected Computers: 12,825
First Seen: March 28, 2011
Last Seen: January 16, 2026
OS(es) Affected: Windows

Virus.Ramnit.I is a very serious intrusion into your computer's security. This virus combines the backdoor capabilities of a Trojan with the self-replication typical of worms. Virus.Ramnit.I can allow hackers to take complete control of your computer. This may let them infect your computer with other malicious programs to steal your money, or use your computer for their own purposes. Virus.Ramnit.I is known to spread through USB devices and external storage. Virus.Ramnit.I can also proliferate freely in file sharing networks. If you guess that your machine is contaminated with Virus.Ramnit.I, use a legitimate anti-virus application to remove Virus.Ramnit.I immediately.

How to Recognize a Virus.Ramnit.I Infection?

The Virus.Ramnit.I virus does its best to remain hidden from sight. However, if you pay attention, there are some things that will allow you to recognize Virus.Ramnit.I before the infection becomes too widespread.

- Virus.Ramnit.I is specifically engineered to attack 32-bit Windows operating systems, rather than the 64-bit version. Therefore, if you are noticing the effects of a virus on your system and you are running the 32-bit version of this operating system, chances are high that your virus is Virus.Ramnit.I. While 64-bit versions can also be infected, chances are high that your 64-bit operating system is being attacked by something else.
- Virus.Ramnit.I can create copies of itself. These copies remain hidden, but can be viewed if you set your file viewing preferences to make hidden files visible.

- Virus.Ramnit.I will specifically target shared folders and removable USB drives. If you suspect that Virus.Ramnit.I is infecting your system, check these places first for any hidden files. Any computer networking with your shared folder is in danger of being infected. Virus.Ramnit.I could have easily spread from a USB device to a computer's hard drive.

- Pay attention to any changes in your system. Virus.Ramnit.I has been known to change your firewall settings. Virus.Ramnit.I has also been known to make changes in the Windows Registry. Also, pay attention to your usage of system resources. Virus.Ramnit.I will often cause very high spikes in this parameter, causing your computer to become stuck.

What Happens if Virus.Ramnit.I Is Left Unchecked?

Letting Virus.Ramnit.I run rampant in your computer can have catastrophic effects. The main danger is that Virus.Ramnit.I acts as a back door through which hackers can gain access to your computer. The danger in this is immediately obvious. An unscrupulous individual can use Virus.Ramnit.I to gain access to your computer and then use it to download malicious software to damage your system and steal your private information. However, the most dangerous effect of having something like Virus.Ramnit.I on your computer, is that your computer may be used as part of a botnet.

Virus.Ramnit.I and Botnets

Botnets are groups of computers that have been compromised and then used for criminal purposes. Virus.Ramnit.I is precisely the kind of virus that hackers use to plant bots into compromised computers. A computer that has had a bot installed on it by a hacker, can be used for any number of criminal activities. These activities include sending spam emails and performing coordinated denial of service attacks on a target.

Aliases

15 security vendors flagged this file as malicious.

Antivirus Vendor Detection
AhnLab-V3 nProtect
Microsoft Virus:Win32/Ramnit.I
eTrust-Vet Win32/Ramnit.C
AntiVir W32/Ramnit.C
Comodo Virus.Win32.Ramnit.H
Sophos W32/Ramnit-A
BitDefender Win32.Ramnit.N
Kaspersky Virus.Win32.Nimnul.a
ClamAV W32.Ramnit-1
Avast Win32:Ramnit-G
Symantec W32.Ramnit.B!inf
F-Prot W32/Ramnit.D
NOD32 Win32/Ramnit.H
K7AntiVirus Virus
McAfee W32/Ramnit.a

File System Details

Virus.Ramnit.I may create the following file(s):
Expand All | Collapse All
# File Name Detections
1. AEADISRV.EXE
2. %PROGRAM_FILES%\ Backdoor.Beastdoor.DL\ Backdoor.Beastdoor.DL

Registry Details

Virus.Ramnit.I may create the following registry entry or registry entries:
HKEY..\..\..\..{RegistryKeys}
HKEY_LOCAL_MACHINE\Software\ Backdoor.Beastdoor.DL

Analysis Report

General information

Family Name: Virus.Ramnit.I
Signature status: No Signature

Known Samples

MD5: a544f965320e621bfbefbd3cf710d53d
SHA1: a040ca9a1ed03ec2f054fa66115a65c5859846f6
SHA256: CF933D745B7B9D9CBC74B933D82EF37513089BCCA7F71C635D27728BA39BE746
File Size: 447.33 KB, 447332 bytes
MD5: 8f55cf2596e98154eceed7c1f3e7ce5e
SHA1: f6271d7926f1cedf43a9ff786498f44b5fbad80a
SHA256: DD6FF3059E93E5EEF19887AF2C28446CCBC16DD2EEAFF7A479437F4AB3DB016B
File Size: 6.74 MB, 6737901 bytes
MD5: beb6d433cc6bbb7a77c5de98faabce65
SHA1: ccbe85e43371a8b144cbe091778db28c62abaa24
SHA256: 35312E8A68535EE1CC471BEDEAC724FD7E4065D36BAAD4D5AE1222FF0072DE75
File Size: 172.96 KB, 172958 bytes
MD5: c25a47f6c0d6eec88d79771b988d5a75
SHA1: dee5fa043bbc466b66fd5af8ced2b0f4d3147ea9
SHA256: 9712E2E555EAC39E29C390CCBFC98ACFDA0184AD73EB73FF06FF6D7EFE850D34
File Size: 686.60 KB, 686603 bytes
MD5: 7f9713d4860f62943972fc025ee77041
SHA1: 537f2b856f3ca1d51d7115722ea9d31de7e0e8d2
SHA256: 3AF3D6029A04746AF5D318EA16298E451E91607730F9DCA34CB733FD10B6CE36
File Size: 481.24 KB, 481236 bytes
Show More
MD5: 3c6ad9c455efec82df756a596c024e58
SHA1: 5c4afc3571de25202949d69049099db4da9ee2c8
SHA256: B6237A98A4ECF7944E8EC0E02B879429D42C337958AAB8327D9C5B92F98FF71D
File Size: 82.94 KB, 82944 bytes
MD5: 46030e2ed67dae69a3d0d0bc9632c321
SHA1: 9bb834d7716100f5d3414c30f25a8eb47f18362e
SHA256: 0155F7684C8F3237E85C6543E20688B7B277D9D85658FC39D58B591476630D7A
File Size: 409.60 KB, 409600 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have resources
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is 32-bit executable
  • File is either console or GUI application
Show More
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name
  • CANON INC
  • InstallShield Software Corporation
  • MANEX
  • Microsoft Corporation
  • Softdeluxe
File Description
  • Canon EIS Device
  • Free Download Manager
  • InstallShield (R) Setup Launcher
  • Microsoft® C Runtime Library
File Version
  • 7.10.3052.4
  • 6.24.0.5820
  • 6, 31, 100, 1190
  • 1.7.0.2
  • 1.0.0.0
Internal Name
  • cneisdevc.dll
  • MSVCR71.DLL
  • Setup
Legal Copyright
  • (c) 2003 - 2024
  • Copyright (C) 1990-2001 InstallShield Software Corporation
  • Copyright CANON INC. 2016-2022
  • MANEX
  • © Microsoft Corporation. All rights reserved.
Legal Trademarks MANEX
Original Filename
  • cneisdevc.dll
  • fdm.exe
  • MSVCR71.DLL
  • Setup.exe
Product Name
  • Canon EIS Device
  • Free Download Manager
  • InstallShield (R)
  • Microsoft® Visual Studio .NET
  • Mileage calc for Audi A4 Bosch encrypted
Product Version
  • 7.10.3052.4
  • 6.24.0.5820
  • 6, 31
  • 1.7.0.2
  • 1.0

File Traits

  • 2+ executable sections
  • big overlay
  • dll
  • HighEntropy
  • Installer Version
  • VirtualQueryEx
  • x86

Block Information

Total Blocks: 1,570
Potentially Malicious Blocks: 0
Whitelisted Blocks: 1,569
Unknown Blocks: 1

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 1 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 0 0 1 0 1 0 0 1 0 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 1 0 1 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ?
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.M
  • Alman.C
  • HackAgent.DA
  • Ramnit.A
  • Ramnit.V

Files Modified

File Attributes
\device\namedpipe\gmdasllogger Generic Write,Read Attributes
c:\users\user\downloads\cmgr.exe Generic Write,Read Attributes
c:\windows\system.ini Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\windows\syswow64\rundll32mgr.exe Generic Write,Read Attributes
c:\windows\syswow64\rundll32srv.exe Generic Write,Read Attributes
c:\windows\syswow64\temp\shsandbox-win32.dll-5.22.1.9999-x86.dmp Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\explorer\advanced::hidden  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::antivirusoverride  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::antivirusdisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::firewalldisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::firewalloverride  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::updatesdisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::uacdisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::antivirusoverride  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::antivirusdisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::firewalldisablenotify  RegNtPreCreateKey
Show More
HKLM\software\wow6432node\microsoft\security center\svc::firewalloverride  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::updatesdisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::uacdisablenotify  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings::globaluseroffline RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\policies\system::enablelua RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::enablefirewall RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::donotallowexceptions RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::disablenotifications  RegNtPreCreateKey
HKCU\software\apcr\1214104697::1919251317 Û RegNtPreCreateKey
HKCU\software\apcr\1214104697::-456464662 RegNtPreCreateKey
HKCU\software\apcr\1214104697::1462786655 RegNtPreCreateKey
HKCU\software\apcr\1214104697::-912929324 # RegNtPreCreateKey
HKCU\software\apcr\1214104697::1006321993 é RegNtPreCreateKey
HKCU\software\apcr\1214104697::-1369393986 http://affiliate.free.rongrean.com/logo.gifhttp://demo.mosiva RegNtPreCreateKey
HKCU\software\apcr\1214104697::549857331 RegNtPreCreateKey
HKCU\software\apcr::u1_0 鱞댶 RegNtPreCreateKey
HKCU\software\apcr::u2_0 RegNtPreCreateKey
HKCU\software\apcr::u3_0 権ă RegNtPreCreateKey
HKCU\software\apcr::u4_0 RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtQueryAttributesFile
Show More
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWriteFile
Process Shell Execute
  • CreateProcess
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
Process Manipulation Evasion
  • NtUnmapViewOfSection
User Data Access
  • GetUserObjectInformation

Shell Command Execution

C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\ccbe85e43371a8b144cbe091778db28c62abaa24_0000172958.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\dee5fa043bbc466b66fd5af8ced2b0f4d3147ea9_0000686603.,LiQMAxHB
cmgr.exe
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\5c4afc3571de25202949d69049099db4da9ee2c8_0000082944.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\9bb834d7716100f5d3414c30f25a8eb47f18362e_0000409600.,LiQMAxHB

Trending

Most Viewed

Loading...