From the results of analysis currently Ramnit virus "always" use the master file with the same name ie "watermark.exe" although its storage location varies depending on the variant that infects the computer and create a file "Explorermgr.exe" which are in directory [C: \ Windows], the file "Explorermgr.exe" is created if Ramnit successfully infect file "Explorer.exe". Computer so that you do not become victims of violence Ramnit, here are some tips and tricks for your computer to be immune from attack Ramnit.
- Create a dummy folder (empty folder) with the name "watermark.exe" and "svchost.exe" in the usual location in the drill by a virus, then change the file attributes to Hidden, System and Read Only. This step is done so that Ramnit can not make the main virus file in the same location.
- Create file "Recycler" on each drive, then change the attributes to Hidden, System and Read Only. This step is done so that Ramnit can not create master files (such as EXE extension and CPL) file into RECYCLER. RECYCLER because this form of file (not a FOLDER) then it will not be able to make the Ramnit virus file in that location.
- Make 2 (two) registry key in the following location:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options (see figure )
Key: Explorermgr.exe and watermark.exe
String value: Debugger
Data value: ntsd-d
String registry to block Ramnit that can not be active on the computer
- This step is done, so that the script / code which is on file virus Ramnit virus can not be executed, so that Ramnit can not be active in memory.
Protect Your USB Flash Media.
As noted previously, Ramnit also will spread itself by utilizing USB Flash media by making a virus file, the following tips and tricks for Ramnit can not create a master file into a USB Flash Media
- Especially for files with the extension EXE / DLL / HTM / HTML should compress using the program WinZip / WinRAR so that the virus does not infect the file, if necessary use a password.
- Create an empty folder with the name [autorun.inf]. In order for the [autorun.inf] is not removed by virus created an empty folder in the folder [autorun.inf] with a character that is not recognized by Windows such as CON and NUL. If the folder [autorun.inf] The failure will be deleted by displaying an error message. Should change the attributes to Hidden, System and Read Only (see figure )
Creating autorun.inf file
The error message when deleting a file autorun.inf
- Create an empty folder with the name "Copy of Shortcut to (1). Lnk", "Copy of Shortcut to (2). Lnk", "Copy of Shortcut to (3). Lnk" and "Copy of Shortcut to (4). lnk ", then change the attributes to Hidden, System and Read Only.
- Create file "Recycler", then change the attributes to Hidden, System and Read Only.
- Create an empty folder with the name MSO.SYS, then change the attributes to Hidden, System and Read Only.
Source : http://vaksin.com/