Follow:

 

Win32/RJump


Win32/RJump is a worm that attempts to spread by copying itself to newly attached media (such as USB memory devices or network drives). It also contains backdoor functionality that allows an attacker unauthorized access to an affected machine.


What to do now

To detect and remove this worm, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, visit http://www.microsoft.com/athome/security/downloads/default.mspx.

Threat behavior

Win32/RJump is a worm that attempts to spread by copying itself to newly attached media (such as USB storage devices or network drives). It also contains backdoor functionality that allows an attacker unauthorized access to an affected machine.
 
When executed, Win32/RJump copies itself to the %windir% directory with a file name that may vary according to minor variant. Microsoft has observed Win32/RJump using the following file names in the wild:
  • RavMon.exe
  • RavMonE.exe
  • AdobeR.exe
  • bittorrent.exe
Note: %windir% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; and for XP and Vista is C:\Windows.
 
The worm also modifies the registry to execute this copy at each Windows start (for example):
Values: "RavAV" or "Bittorrent"
With data: "<path to worm executable>"
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
 
The worm may also modify the following registry keys in order to set Internet Explorer as the default browser on the affected machine:
HKEY_CLASSES_ROOT\HTTP\shell\(Default) = "open"
HKEY_CLASSES_ROOT\HTTP\shell\open\command\(Default) = ""C:\Program Files\Internet Explorer\iexplore.exe" -nohome"
HKEY_CLASSES_ROOT\htmlfile\shell\(Default) = "opennew"
HKEY_CLASSES_ROOT\htmlfile\shell\open\command\(Default) = ""C:\Program Files\Internet Explorer\iexplore.exe" -nohome"
HKEY_CLASSES_ROOT\InternetShortcut\shell\open\command\(Default) = "rundll32.exe shdocvw.dll,OpenURL %l"
 
In order to spread, the worm copies itself (using one of the aforementioned file names) to any newly attached media, such as USB storage devices or network drives. In order to execute this new copy, it also creates an INF file that contains the following text:
 
[AutoRun]
open = <file name> e
shellexecute = <file name> e
shell\Auto\command = <file name> e
shell = Auto
 
For example:
 
[AutoRun]
open = RavMon.exe e
shellexecute = RavMon.exe e
shell\Auto\command = RavMon.exe e
shell = Auto
 
Backdoor Functionality / SOCKS Proxy
The worm connects to one of several websites and sends an identifier for the local infected machine (the local machine's computer name) and the port number being used for the establishment of a SOCKS proxy. The SOCKS proxy port number is stored in a file named 'RavMonLog', which is created in either the same location as the worm's executable, or in the user's %UserProfile% directory. (A typical location for this folder is C:\Documents and Settings\<username>.)
 
Some variants may also manipulate or remove browser cookies.
 
Note: In 2006, a small number of Video iPods were shipped that were infected with RJump. For more information, please see http://www.apple.com/support/windowsvirus/.

Symptoms

The following may be indicative of a Win32/RJump infection:

Presence of any of the following files on the affected computer:
  • %windir%\RavMon.exe
  • %windir%\RavMonE.exe
  • %windir%\AdobeR.exe
  • %windir%\bittorrent.exe
Presence of an associated registry modification that executes any of these files at Windows start. For example, for the file  %windir%\RavMonE.exe:
Value: "RavAV"
With data: "%windir%\RavMonE.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Prevention

Take the following steps to help prevent infection on your system:
  • Enable a firewall on your computer.
  • Get the latest computer updates.
  • Use up-to-date antivirus software.
  • Use caution with attachments and file transfers.

Enable a firewall on your computer

Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
  1. Click Start, and click Control Panel.
  2. Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
  3. Click Change Windows Firewall Settings.
  4. Select On.
  5. Click OK.

Get the latest computer updates

Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
  1. Click Start, and click Control Panel
  2. Click System.
  3. Click Automatic Updates.
  4. Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.

Use up-to-date antivirus software

Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx

Use caution with attachments and file transfers

Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources.  Use extreme caution when accepting file transfers from known or unknown sources.

Alert level: Severe
This entry was first published on: Oct 08, 2007
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Worm.Win32.RJump (Kaspersky)
  • W32/RJump (Sophos)
  • W32.Rajump (Symantec)
  • WORM_RJUMP (Trend Micro)