W32.Ramlide


Aliases: Virus.Win32.Ramdile, Win32.Ramdile, W95/Ramdile, Win32.LiteSys.10609, W32/Ramdile-A
Variants:

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: N/A
Geographical info: North America
Removal: N/A
Platform: W32
Discovered: 01 Oct 2002
Damage: N/A

Characteristics: W32.Ramlide is a virus that infects Windows systems only. It is a non-dangerous and non-memory resident encrypted virus. When the virus infects a system, it encrypts itself and writes itself to the end of the file.

More details about W32.Ramlide

The virus W32.Ramlide infects .exe, .scr. and .cpl files in the current directory when executed. It then infects the following files in the Windows directory: calc.exe, notepad.exe, cdplayer.exe, write.exe, and pbrush.exe. When the virus finds any of these files, it appends its viral body to the end of the host files. It also changes the entry point to the viral body. Once an infected file runs, the virus randomly chooses PE files in the Windows folder that have the extensions .exe, .scr, or .cpl. It then appends its viral body to the end of the host files. The virus puts a marker in the PE header of the infected file. This prevents the virus from re-infecting the file. The length of the infected file will increase by 14,705 bytes.

On the 7th, 12th, 17th and 22nd of any month the virus drops an image file named "ramlide.bmp". It registers it as desktop wallpaper. The virus may corrupt the host file due to a bug in the virus code. It also contains a bug that may cause the virus to occasionally re-infect files. The downloaded files may be spread to other computers. They may be placed in network shares. Other users may access them thinking they are harmless files. Infected files can also be uploaded on the user’s file sharing programs. They may be placed in the shared folder. The files may be renamed so that other users will download them. They may be listed as commercial movies or music that can now be downloaded free.