Device Virus, Ravmon.exe
i created this article bcoz of my friends computer infected by this virus
W32/Rjump.worm is a worm written using the Python scripting language and was converted into a windows portable executable file using the Py2Exe tool. It attempts to spread by coping itself to mapped and removable storage drives and also opens a backdoor on an infected system.
this virus block some administrative windows functions like
block taskmanager
block regedit.exe
disable folder option
disable command prompt
disable run, etc
if you found these problems in your pc , it because of ravmon.exe - Virus W32/RJump.worm
this is not a dangers virus, but it also crate a log file that contains the port number on which its backdoor component listens.
Characteristics of W32/RJump.worm - Ravmon.exe
---------------------------------------------------
it creates a copy of itself into the windows system directory
%Windir%\RAVMON.EXE
RavMonLog ( log file)
Create a registry update on
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"RavAV" = "%Windir%\RAVMON.EXE"
create a copy of files in all drives
autorun.inf --used to autorun the worm when the drive is accessed
msvcr71.dll -- Clean Microsoft Visual Studio dll file
ravmon.exe -- copy of the worm
The contents of the autorun.inf are as follows:
[AutoRun]
open=RavMonE.exe e
shellexecute=RavMonE.exe e
shell\Auto\command=RavMonE.exe e
shell=Auto
Reseting to default setting by these Registry values
to enable task manager
Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion\Policies\System
Name: DisableTaskMgr
Type: REG_DWORD
Value: 1=Enable
to enable regedit.exe
Start -> Run -> gpedit.msc -> User Configuration -> Administrative Templates -> System -> Prevent access to registry editing tools -> Right Click Properties -> Disabled
to enable Folder Otion
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
System Key:
Explorer]
Value Name: NoFolderOptions
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = show options, 1 = hide options) [
to enable run
Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer
Create a DWORD value for each Run function that will be disabled.
Modify/Create the Value Name [DisableLocalMachineRun] according to the Value Data listed below.
Data Type: REG_DWORD [Dword Value] // Value Name: DisableLocalMachineRun
Data Type: REG_DWORD [Dword Value] // Value Name: DisableLocalMachineRunOnce
Data Type: REG_DWORD [Dword Value] // Value Name: DisableCurrentUserRun
Data Type: REG_DWORD [Dword Value] // Value Name: DisableCurrentUserRunOnce
Setting for Value Data: [0 = Disabled / 1 = Enabled]
Stop the virus
---------------------
* stop the service having the path %path% ravmon.exe
* stop the ravmon.exe from task manger
* delete ravmon.exe from the pc
* remove the startup registry value from HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, (don't delete the path only * * delete the ravmon.exe regisry value)
* delete files autorun.inf and ravmon.exe from all drive
1 comment:
http://forums.clamwin.com/viewtopic.php?p=7514#7514
Post a Comment