Virus

How to remove “Virus:Win32/Ramnit.AH”?

Malware Removal

The Virus:Win32/Ramnit.AH is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Virus:Win32/Ramnit.AH virus can do?

  • Behavioural detection: Executable code extraction – unpacking
  • CAPE extracted potentially suspicious content
  • Drops a binary and executes it
  • Unconventionial language used in binary resources: Japanese
  • The binary likely contains encrypted or compressed data.
  • Authenticode signature is invalid
  • Behavioural detection: Injection (Process Hollowing)
  • Behavioural detection: Injection (inter-process)
  • Behavioural detection: Injection with CreateRemoteThread in a remote process
  • CAPE detected the Ramnit malware family
  • Operates on local firewall’s policies and settings
  • Attempts to disable UAC
  • Attempts to disable Windows Defender
  • Attempts to modify or disable Security Center warnings
  • Registers an application compatibility shim database for persistence
  • Creates known PcClient mutex and/or file changes.
  • Anomalous binary characteristics
  • Yara rule detections observed from a process memory dump/dropped files/CAPE

How to determine Virus:Win32/Ramnit.AH?



File Info:

name: EA08660352B5A071761D.mlw
path: /opt/CAPEv2/storage/binaries/f5fec4cf85c3e2c936455b0f0ec8a6cbbb138dfa5e31db4920037f9baf46ab65
crc32: 5DA63CDE
md5: ea08660352b5a071761d20fd9962ff48
sha1: 884d51a034a6406f2664ed77424f8d0888b0eb9b
sha256: f5fec4cf85c3e2c936455b0f0ec8a6cbbb138dfa5e31db4920037f9baf46ab65
sha512: 38c4f69aed703337f2ad6a21ffd5425670b32124b1aa10cdfa300991ee256e4228f242a882d465f40ee891cc062edd36935f9e73c05d15448508064cd6c0fba0
ssdeep: 6144:xEq64tWRYCjhOhn7n4TlBblt5RSZhlMI1i67ikFmzQ0hrINhOsdWNSt8tbi+5I8A:xQhC7ilBtR01rpFmzVhuWNSKo37EPsN
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T172C4C0117BE1C877D06606370CB2876D7677BF609B3186876BD03E4EAE312D2AA35712
sha3_384: c5346fddf9e6deb8945dbde72851f0e85ac16f1b320acae2e494cea88a041bb8db30278dac78e96dd97b4bbcf3fbf620
ep_bytes: eb048b37eb50608d3500010000eb3156
timestamp: 2012-09-27 02:23:07


Version Info:

CompanyName: Brother Industories, Ltd.
FileDescription: Launch integrated installer
FileVersion: 5, 0, 13, 0
InternalName: Setup
LegalCopyright: Copyright (C) 2005-2013 Brother Industries, Ltd.
OriginalFilename: Setup.exe
ProductName: Setup.exe
ProductVersion: 5, 0, 13, 0
Translation: 0x0409 0x04b0

Virus:Win32/Ramnit.AH also known as:

BkavW32.Common.97A1B30C
LionicVirus.Win32.Ramnit.n!c
Elasticmalicious (high confidence)
CynetMalicious (score: 100)
CAT-QuickHealW32.Nimnul.F
SkyhighBehavesLike.Win32.Infected.hh
McAfeeW32/Ramnit.o
MalwarebytesGeneric.Malware/Suspicious
ZillyaVirus.Nimnul.Win32.2
K7AntiVirusVirus ( 004c861e1 )
AlibabaVirus:Win32/Ramnit.3199463c
K7GWVirus ( 004c861e1 )
CrowdStrikewin/malicious_confidence_100% (W)
ArcabitWin32.Ramnit.Y
BaiduWin32.Virus.Nimnul.dan
SymantecTrojan.Dropper
ESET-NOD32a variant of Win32/Ramnit.AM
APEXMalicious
KasperskyVirus.Win32.Nimnul.e
BitDefenderWin32.Ramnit.Y
NANO-AntivirusVirus.Win32.Nimnul.bauhiz
MicroWorld-eScanWin32.Ramnit.Y
AvastWin32:Malware-gen
TencentVirus.Win32.Nimnul.b
EmsisoftWin32.Ramnit.Y (B)
F-SecureMalware.W32/Nimnul.D
DrWebWin32.Nimnul.1
VIPREWin32.Ramnit.Y
TrendMicroPE_RAMNIT.SM
SophosW32/Ramnit-BD
IkarusVirus.Win32.Ramnit
JiangminWin32/Nimnul.d
WebrootW32.Nimnul
GoogleDetected
AviraW32/Nimnul.D
Antiy-AVLVirus/Win32.Ramnit.am
XcitiumVirus.Win32.Ramnit.GENV@4roe85
MicrosoftVirus:Win32/Ramnit.AH
ZoneAlarmVirus.Win32.Nimnul.e
GDataWin32.Ramnit.Y
VaristW32/Nimnul.A!Generic
AhnLab-V3Win32/Ramnit.S
BitDefenderThetaAI:FileInfector.17F650D70E
ALYacWin32.Ramnit.Y
TACHYONVirus/W32.Ramnit.D
VBA32Virus.Nimnul.ea
Cylanceunsafe
PandaGeneric Suspicious
TrendMicro-HouseCallPE_RAMNIT.SM
RisingVirus.Ramnit!1.A1AD (CLASSIC)
MaxSecureVirus.Nimnul.E
FortinetW32/Ramnit.AM
AVGWin32:Malware-gen
DeepInstinctMALICIOUS

How to remove Virus:Win32/Ramnit.AH?

Virus:Win32/Ramnit.AH removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment