Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 28 Dec 2007
Damage: Low

Characteristics: W32.Ranetif is a worm, It opens a back door and infects files. A back door worm allows unauthorized remote attackers to access information on a remote computer. The backdoor worm is s slow infector. It causes low damage and is easy to remove using an updated antivirus software.

More details about W32.Ranetif

The worm W32.Ranetif infects Windows systems. When the worm is executed, it creates the following files: INETINFO.EXE, scanip.txt, and svchost.exe. It then creates the following file on each drive so that it executes whenever the drive is accessed: autorun.inf. Afterwards, it creates a registry entry so that it executes whenever Windows starts. The worm may attempt to stop the following processes: regedit, rundll32, and mmc. It may also delete the associated files: regedit.exe, rundll32.exe, and mmc.exe. The worm attempts to gather IP addresses by opening a network connection and listening on TCP port 3310. The worm stores the gathered information in the file scanip.txt. Every three minutes, it scans drives for infection. The worm also opens a back door on the infected computer and waits for commands from a remote attacker.

The W32.Ranetif program installs on a computer without the user’s knowledge and consent. It stays resident on the system’s background and launches at each computer start-up. The Trojan program is unknowingly downloaded by the user when accessing websites that are not secure.