File virus Win32.Rmnet.12 was succeeded to create a botnet of more than one million infected computers. The virus hit computers based on Windows, realizing the functions of backdoor, and kidnapped passwords from the FPT-popular clients, which are then used by hackers to infect sites, and in organization of network attacks. Moreover, after receiving a command from a remote server, the virus was able to completely destroy the computer's operating system.
The first information from anti virus companies about the virus Win32.Rmnet.12 have appeared in the autumn of 2012. The virus infects computers in different ways. They may be infected with infected executable files, flash drives, and special scripts sewn into the html-documents. In the last case, the virus has saved on the hard disk just after the opening of the malicious web page in browser window.
Win32.Rmnet.12 is a complex multi-component file virus, which consists of several modules. It is capable of self-replication - virus copies itself for the uncontrolled proliferation. Finding himself in the operating system, Win32.Rmnet.12 first of all finds out, what browser is installed in the computer's default. If virus does not detect such default browser, then it chooses Internet Explorer, and integrated into its processes. Next, it generates its own file name, based on the serial number of hard disk and stored itself in the startup folder by setting a file attribute "hidden". To this file virus will write the data which it required. And then, according to the mortgaged in it algorithm, Win32.Rmnet.12 tries to contact the command server.
One component of Win32.Rmnet.12 is a backdoor module, which after the launch determines the rate of PCs connections with Internet. For this with an interval of 70 seconds sends, virus queries to search sites and analyze their response time. After receiving this information, the virus connects to the command center and gives it information about the infected computer. The backdoor module is capable to handle the directive, received from the command center, for example, the commands to download or execute arbitrary file, update its own body, create a screenshot and send it to the attackers server, and even the commands of complete destruction of the entire operating system.
The other functional module of the virus is designed to steal passwords to the most popular FTP-client, for example: Bullet Proof FTP, FileZilla, FlashFXP, CuteFTP, WS FTP, Ghisler, and so on. These passwords are required for later contamination of remote servers, or for organization of network attacks. Win32.Rmnet.12 do not hesitate information in cookies, whereby on the infected computer attackers gain access to user accounts on the websites that require authentication.
Also, the functionality of the virus allow it to block certain sites in order to redirect the user to controlled by hackers internet resources. A recent modification of the virus already can implement Web injects, which allow Win32.Rmnet.12 to steal banking information.
The virus searches all html-files to add to them its own code written in VBScript. In addition, Win32.Rmnet.12 infects all founded in PC executable files with an .exe extension, and also copies itself to all the external flash memory drives, saving the in the root folder its own startup file and shortcut to a link to a malicious application, which is, in fact, run a virus on the new computer.
The company «Doctor Web» discovered botnet Win32.Rmnet.12 in September 2011, and soon the company's specialists have decoded saved in the virus's resources - names of the command servers. After some time, the protocols for data exchange between control centers and botnets became available for the analysis. This gave an opportunity not only to establish the exact number of infected computers, but even to control their behavior. February 14, 2012 experts' of Dr Web company used well-known sinkhole method, which was subsequently used to study the BackDoor.Flashback.39 - Trojan network. Essence of the sinkhole method is registration of command servers domains of Win32.Rmnet.12 network, thus was established complete control over the one of the botnet's subnet.
On April 15, 2012 Win32.Rmnet.12 botnet consisted of 1.4 million infected computers, and this number continues to grow. The greatest number of infected PCs is in: Indonesia (27.12% or 320 thousand PCs). The second highest number of infected computers is Bangladesh (166 thousand or 14.08%). Third place went to Vietnam (13.08%). This is followed by India, Pakistan, Russia (43 thousand computers, or 3.6%), Egypt, Nigeria, Nepal and Iran. Among the other CIS countries may be noted: Kazakhstan 19.77 thousand cases of infection (1.67%), Belarus (14.2 thousand or 1.2%) and Ukraine (12.5 thousand or 1.05%). In the U.S., were found relatively few infected computers - only 4327 PC, or 0.36%. Even less infected computers were detected in Canada (250 PC) and Australia (46 PC), and in Tajikistan, Albania and Denmark were found only for one infected computer in each country.
Today, as "Doctor Web" experts say, the company fully controls the Win32.Rmnet.12 botnet, and attackers can no longer access it and make a harm to infected computers.
Video: "How to Delete Win32.Rmnet.16"