medium-medium

W32/RJump.worm

W32/RJump.worm

Threat Detail

  • Malware Type: Virus
  • Malware Sub-type: Worm
  • Protection Added: 2006-06-20

-- Update October 17, 2006 --
W32/RJump.worm has been deemed Low-Profiled due to media attention at http://www.betanews.com/article/Apple_Ships_iPods_with_Windows_Virus/1161112089

W32/Rjump.worm is a worm written using the Python scripting language and was converted into a windows portable executable file using the Py2Exe tool.  It attempts to spread by coping itself to mapped and removable storage drives and also opens a backdoor on an infected system.


Minimum Engine

5400.1158

File Length

varies

Description Added

2006-06-20

Description Modified

2006-06-20

Malware Proliferation

fpo-ti-severity-legend logo-new-mcafee

-- Update October 17, 2006 --
W32/RJump.worm has been deemed Low-Profiled due to media attention at http://www.betanews.com/article/Apple_Ships_iPods_with_Windows_Virus/1161112089

 

Upon execution, it creates a copy of itself into the windows system directory:

  • %Windir%\RAVMON.EXE

Also create a non-malicious "RavMonLog" file that contains the port number on which its backdoor component listens.

Adds the following values to the registry to auto start itself when Windows starts.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"RavAV" = "%Windir%\RAVMON.EXE"

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Stinger:

A Stinger Standalone removal tool has been released to assist in repairing this threat.

W32/Rjump.worm lists all mapped and removable storage drives on an infected system and drops the following files onto the root folder of the available drive:

  • autorun.inf    --> used to autorun the worm when the drive is accessed
  • msvcr71.dll  --> Clean Microsoft Visual Studio dll file
  • ravmon.exe  --> copy of the worm

The contents of the autorun.inf are as follows:

[AutoRun]
open=RavMonE.exe e
shellexecute=RavMonE.exe e
shell\Auto\command=RavMonE.exe e
shell=Auto


Infection occurs when a removable storage device or a mapped drive hosting a copy of W32/Rjump.worm is accessed and the user agrees to the auto run prompt for execution of the worm.

W32/Rjump.worm creates a port exception for its backdoor component to bypass the built-in firewall of WinXp by executing the following netsh command.

%Windir%\%Sysdir%\cmd.exe /c netsh firewall add portopening TCP 16942 NortonAV

Note: The backdoor port opened is randomly chosen.

Posts ip address and backdoor port information from an infected machine back to the virus author via the following URL:

  • http://natrocket.9966.[Removed]:5288/iesocks?peer_id=%s&port=%s&type=%s&ver=4sD