RavMonE.exe explained
Fullname: | RavMonE.Exe |
Common Name: | RavMonE |
Technical Name: | Win32.RJumpA |
Aliases: | Rajump, Jisx, Siweol, Bdoor-DIJ |
Isolationdate: | June 2006 |
Isolation: | Unknown |
Origin: | Unknown |
Author: | Unknown |
RavMonE, also known as RJump, is a Trojan that opens a backdoor on computers running Microsoft Windows. Once a computer is infected, the virus allows unauthorized users to gain access to the computer's contents. This poses a security risk for the infected machine's user, as the attacker can steal personal information, and use the computer as an access point into an internal network.
RavMonE was made famous in September 2006 when a number of iPod videos were shipped with the virus already installed.[1] Because the virus only infects Windows computers, it can be inferred that Apple's contracted manufacturer was not using Macintosh computers. Apple came under some public criticism for releasing the virus with their product.
Description
RavMonE is a worm written in the Python scripting language and was converted into a Windows executable file using the Py2Exe tool.[2] It attempts to spread by copying itself to mapped and removable storage drives. It can be transmitted by opening infected email attachments and downloading infected files from the Internet. It can also be spread through removable media, such as CD-ROMs, flash memory, digital cameras and multimedia players.
Action
Once the virus is executed, it performs the following tasks.
- It copies itself to %WINDIR% as
RavMonE.exe
.
- It adds the value
"RavAV" = "%WINDIR%\RavMonE.exe"
to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.
- It opens a random port and accepts remote commands.
- It creates a log file
RavMonLog
to store the port number.
- It posts a HTTP request to advise the attacker of the infected computer's IP address and the number of the port opened.
When a removable storage device is connected to the infected computer it copies the following files to that device:
- autorun.inf - a script to execute the worm the next time the device is connected to a computer
msvcr71.dll
- in case the target device lacks this support, Microsoft C Runtime Library module containing standard functions such as to copy memory and print to the console[3]
ravmon.exe
- a copy of the worm
Aliases
- BackdoorRajump (Symantec)
- W32/JisxA.worm (Panda)
- W32/RJump-C (Sophos)
- W32/RJumpA!worm (Fortinet)
- Win32/RJumpA (ESET)
- Win32/RJumpA!Worm (CA)
- WormRJumpA (BitDefender)
- WormWin32RJump.a (Kaspersky)
- Worm/RjumpE (Avira)
- WORM_SIWEOLB (TrendMicro)
- Worm/GenericAMR (AVG)
- INF:RJump[Trj](Avast!)
See also
External links
Alphabetically by publisher:
- Web site: AVIRA Virus Definition File History . Oct 23, 2006 . W32/RJump . . dead . September 11, 2007 . https://web.archive.org/web/20070911205743/http://original.avira.com/en/threats/vdf_history.html?id_vdf=2857 .
- Web site: W32/RJump.worm . June 20, 2006 . W32/RJump . . dead . September 3, 2006 . https://web.archive.org/web/20060903042102/http://vil.nai.com/vil/content/v_139985.htm .
- Web site: Troj/Bdoor-DIJ . W32/RJump . . live . November 5, 2006 . https://web.archive.org/web/20061105092709/http://www.sophos.com/security/analyses/trojbdoordij.html .
- Web site: W32.Rajump . https://web.archive.org/web/20070210145353/http://www.symantec.com/security_response/writeup.jsp?docid=2006-062310-0921-99&tabid=3 . dead . February 10, 2007 . June 23, 2006 . W32/RJump . Symantec .
- Web site: WORM_SIWEOL . Nov 15, 2016 . W32/RJump . . dead . December 2, 2006 . https://web.archive.org/web/20061202031413/http://www.trendmicro.com:80/vinfo/virusencyclo/default5.asp?VName=WORM_SIWEOL%2EC&VSect=T .
Notes and References
- Web site: Apple Ships iPods with Windows Virus . Nate . Mook . Oct 17, 2006 . Beta News . Apple apologized Tuesday for shipping video iPods containing the Windows virus .
- Web site: Virus Profile: W32/RJump.worm . McAfee . June 20, 2006 .
- Web site: What is msvcr71.dll doing on my computer? . ProcessLibrary .