Your essential free software toolbox

SHARE
THIS ON

Win32.Worm.RJump.B

LOW

3.3Mb

()

Symptoms

The presence of the file
%WINDIR%\RavMonE.exe
with size of 3.3Mb.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Petrea Ruslan, virus researcher

Technical Description:

The worm is written in Python and converted to a Windows executable.
When executed, it copies itself to
    %WINDIR%\RavMonE.exe
and creates the registry key
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RavAV ="%WINDIR%\RavMonE.exe"
in order to be executed at startup.

The worm copies itself to the USB drives together with an autorun script, detected by BitDefender as Trojan.Autorun.EU.

Also, the worm have backdoor capabilities, and when executed, starts listening on a random port, and posts the local IP and port number to URLs :
    http://natrocket.????.net:5288/return
    http://natrocket.????.net:5288/iesocks
    http://natrocket.????.org:5288/iesocks
    http://scipaper.????.net:80/iesocks