Virus hitting Aussie PCs disables ‘most’ AV software

Hits Internet Explorer and Firefox, but not Chrome.

Yesterday CSO Australia reported that a new variant of a virus called Win32.Rmnet.16 was taking an abnormally high number of Australian victims.

Kirill Leonov, chief press officer of the Russian antivirus firm Doctor Web, whose researchers claim 10,000 Australian PCs are infected by the data stealing virus, clarified how it is infecting Windows machines.

Leonov’s feedback suggests businesses and consumers concerned about the virus should consider switching to Google’s Chrome browser. The virus injects itself into Internet Explorer and Firefox, whichever is default, but not Chrome or Opera.

“Any patch doesn't help because [the] virus injects its modules into browser's process directly in RAM,” says Leonov.

Dr Web says it is a complex multicomponent virus that is “capable of self-replication”, however, the virus can be removed with its Cureit! and its LiveCD products.

The malware will disable “almost all” AV programs that are running operating system processes, says Leonov.

Like the company’s work which led to the discovery of the botnet malware that hit around 700,000 Mac OS X users worldwide, Dr Web gathered its data by deploying a ‘sinkhole’, where traffic destined for the botnet’s command servers is redirected to a server under the control of the security firm.

“Yes, we sinkholed some of Rmnet.16 control servers and collected the statistics. The virus generates up to 200 [command and control] domains using a special algorithm; to accelerate this process the malware creates up to 10 parallel threads,” said Leonov.

“Win32.Rmnet.16 calls the domain's list and waits for an answer [and signs it] with a digital signature. If the packet is received, the virus stops its threads and uses this control server as default.”

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about Google

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts