Virus hitting Aussie PCs disables ‘most’ AV software

Yesterday CSO Australia reported that a new variant of a virus called Win32.Rmnet.16 was taking an abnormally high number of Australian victims.

Kirill Leonov, chief press officer of the Russian antivirus firm Doctor Web, whose researchers claim 10,000 Australian PCs are infected by the data stealing virus, clarified how it is infecting Windows machines.

Leonov’s feedback suggests businesses and consumers concerned about the virus should consider switching to Google’s Chrome browser. The virus injects itself into Internet Explorer and Firefox, whichever is default, but not Chrome or Opera.

“Any patch doesn’t help because [the] virus injects its modules into browser’s process directly in RAM,” says Leonov.

Dr Web says it is a complex multicomponent virus that is “capable of self-replication”, however, the virus can be removed with its Cureit! and its LiveCD products.

The malware will disable “almost all” AV programs that are running operating system processes, says Leonov.

Like the company’s work which led to the discovery of the botnet malware that hit around 700,000 Mac OS X users worldwide, Dr Web gathered its data by deploying a ‘sinkhole’, where traffic destined for the botnet’s command servers is redirected to a server under the control of the security firm.

“Yes, we sinkholed some of Rmnet.16 control servers and collected the statistics. The virus generates up to 200 [command and control] domains using a special algorithm; to accelerate this process the malware creates up to 10 parallel threads,” said Leonov.

“Win32.Rmnet.16 calls the domain’s list and waits for an answer [and signs it] with a digital signature. If the packet is received, the virus stops its threads and uses this control server as default.”