Ramnit Malware: How it works and how to remove it

Madalina Dinita
by Madalina Dinita
Managing Editor
Loading Comments
Download PDF
Affiliate Disclosure

Ramnit Malware

One of the primary concerns of cyber criminals is to dress the malware/virus in such a way that it avoids detection. The anti-virus and anti-malware programs are becoming increasingly powerful and cyber criminals seem to have found a new way to counter this. Ramnit is one such worm that was recycled from the BullGuard. Recycling a computer worm is nothing but repackaging the worm in such a way that it avoids detection and still does its job.

Ramnit Malware


What is Ramnit?

Its safe to brand the Ramnit as a recycled computer worm and recycling an old worm is always easier for the cybercriminals. The Ramnit is notorious for infecting Windows executables, Microsoft Office and HTML files. It is known to steal user names, passwords, browser cookies and will also allow hackers to take control of the infected computer. Yet another disturbing quirk of Ramnit is that it keeps on replicating itself without the need to be attached to an existing program. In a nutshell, the Ramnit is known to spread across the internet rapidly.

How Ramnit Works/Spreads?

Ramnit is commonly spread via flash drives and it all starts after the Worm (Win32/Ramnit) is copied with a random file name. The infection is at large at sites that promise to offer keygen and cracks. If not dealt with in a timely manner the Ramnit infects more files and the entire system might eventually become unusable.

Ramnit was initially discovered in 2010 when it was being used to steal the FTP credentials and browser cookies from machines that had already been infected. However, in 2011, a more powerful Ramnit variant appeared and this was able to bypass two-factor authentication and transaction signing system thus eventually being able to break into financial systems.

The Ramnit works by infecting .exe, HTML/HTM files before opening a back door that compromises your computer. This backdoor can be used by a remote attacker to download and execute more malicious files. The worm also comes with IRCBot functionality which is usually injected into the default browser by Worm:Win32/Ramnit.A, payload that’s dropped by a Ramnit infected executable file.

How to remove Ramnit from your computer?

Symantec W32.Ramnit Removal Tool

This tool by Symantec is specifically designed to detect Ramnit from the computers. In order to use this tool one needs to be logged in as an admin and only then download the executable file from FxRamnit.exe. The tool will automatically repair all the infected files and also resets the registry values that have been tampered with. Moreover, the tool will also terminate all the processes associated with Ramnit.

Bitdefender Rootkit Remover

The Bitdefender Rootkit Remover is designed to tackle known rootkits in an efficient manner. The Rootkit is capable of removing Mayachok, Mybios, Plite, XPaj, Whistler, Alipop, Cpd, Fengd, Fips, Guntior, MBR Locker, Mebratix, Niwa, Ponreb, Ramnit, The folks at Bitdefender have also added the definitions for the newer rootkits as well. One can download both the X86 Bitdefender Rootkit Remover and x64 version remover.

Format and Reinstall OS

This solution may seem extreme but I have always found the erase and reinstall method to be the best, especially when you are dealing with rootkits. Some of the security analysts claim that the Rammnit is not disinfectable and it’s always advisable to format your PC and reinstall a fresh copy of Windows 10. Once a system has been affected by a backdoor Trojan it is very difficult to sweep the remnants and in some cases, the files become corrupted this making the entire system unstable.

That being said it’s also wise to employ some precautionary measures, for instance always make it a point to scan the email attachments. Ensure that your anti-virus suite is updated to the latest version and the same goes for the Windows 10 build.