404 Error Page Hides RAMNIT.A Worm in the Source Code

Jun 19th 2017

Malware Family: Win32/Ramnit

Hash Values

MD5: 089dc369616dafa44a9f7fefb18e8961

SHA1: c4a2430634b7ca7427d2c055dbbb1fb8cd42a285

SHA256: 4ebafa2738f11d73d06dddf18ce41cf

Most of the time, links aren’t dangerous without user interaction. Recently, we discovered an innocent-looking link for a JPG picture that prompts a user to activate ActiveX on IE. Leveraging a social engineering technique, if the user activates ActiveX their machine will be infected by the RAMNIT.A Worm.


Uploading the Link for Analysis upload - Ramnit Analysis

Figure 1: Submitting the Link to VMRay Analyzer for Analysis


Let’s take a closer look at the analysis to understand the malicious behaviors triggered by this URL.

After submitting the URL to VMRay Analyzer, we get a VTI Score of 100/100 (Figure 2), clearly extremely malicious.


VTI Score - Ramnit Analysis

Figure 2: Ramnit Worm VTI Score: 100/100


The VTI Score overview tells us that the visited website downloads and executes code that is most likely malicious. What happens here?

The screenshot of the website shows us that the requested picture wasn’t found – 404. But this error page doesn’t look like a normal 404 error page. We want to see the source code of this error page. This is easy because the analyzer captures the whole network traffic. We open the PCAP file with Wireshark and follow the HTTP Stream of this requested picture.

The header looks still normal to us, like a 404 error page (Figure 3)


404 Error - Ramnit Analysis

Figure 3: PCAP File shows the HTTP Stream of the Requested Picture


But the source code of this error page solves the mystery (Figure 4).


source_errorpage - Ramnit Analysis

Figure 4: Source Code Shows VBScript


At the end of this webpage, there is a Visual Basic Script which will start if ActiveX is running on the browser.

This Visual Basic Script will confirm what we already suspect (Figure 5).


VBScript - Ramnit Analysis

Figure 5: VBS Script Starts if ActiveX is Running on the Browser


The ‘DropFileName = “svchost.exe” ‘ is already well known as the name of the dropped PE file shown in the VTI Information. Until ‘Set WSHshell = CreateObject(“WScript.Shell”) ‘ the script only drops the malicious “svchost.exe” to the user’s temporary folder, which is completely written down in the variable “WriteData”. After that, it creates a shell-object to run this malicious “svchost.exe”.

The dropped “svchost.exe” is well known as the RAMNIT.A worm which spreads through removable drives and also functions as a backdoor.

This technique isn’t that new but is another example of how malware authors can leverage social engineering techniques to exploit a user’s machine. Clearly, this URL should be on your blacklist. One way to automate that blacklisting process is to use a connector that we provide through our REST API to extract the IOCs and the threat score automatically after analysis.



Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator