Monday, November 19, 2007

Virus W32/RJump.worm - Ravmon.exe

Device Virus, Ravmon.exe
i created this article bcoz of my friends computer infected by this virus

W32/Rjump.worm is a worm written using the Python scripting language and was converted into a windows portable executable file using the Py2Exe tool. It attempts to spread by coping itself to mapped and removable storage drives and also opens a backdoor on an infected system.

this virus block some administrative windows functions like

block taskmanager
block regedit.exe
disable folder option
disable command prompt
disable run, etc
if you found these problems in your pc , it because of ravmon.exe - Virus W32/RJump.worm

this is not a dangers virus, but it also crate a log file that contains the port number on which its backdoor component listens.

Characteristics of W32/RJump.worm - Ravmon.exe
---------------------------------------------------

it creates a copy of itself into the windows system directory
%Windir%\RAVMON.EXE
RavMonLog ( log file)

Create a registry update on
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"RavAV" = "%Windir%\RAVMON.EXE"

create a copy of files in all drives
autorun.inf --used to autorun the worm when the drive is accessed
msvcr71.dll -- Clean Microsoft Visual Studio dll file
ravmon.exe -- copy of the worm

The contents of the autorun.inf are as follows:
[AutoRun]
open=RavMonE.exe e
shellexecute=RavMonE.exe e
shell\Auto\command=RavMonE.exe e
shell=Auto

Reseting to default setting by these Registry values

to enable task manager
Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion\Policies\System
Name: DisableTaskMgr
Type: REG_DWORD
Value: 1=Enable

to enable regedit.exe
Start -> Run -> gpedit.msc -> User Configuration -> Administrative Templates -> System -> Prevent access to registry editing tools -> Right Click Properties -> Disabled

to enable Folder Otion
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
System Key:
Explorer]
Value Name: NoFolderOptions
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = show options, 1 = hide options) [

to enable run
Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer
Create a DWORD value for each Run function that will be disabled.

Modify/Create the Value Name [DisableLocalMachineRun] according to the Value Data listed below.
Data Type: REG_DWORD [Dword Value] // Value Name: DisableLocalMachineRun
Data Type: REG_DWORD [Dword Value] // Value Name: DisableLocalMachineRunOnce
Data Type: REG_DWORD [Dword Value] // Value Name: DisableCurrentUserRun
Data Type: REG_DWORD [Dword Value] // Value Name: DisableCurrentUserRunOnce

Setting for Value Data: [0 = Disabled / 1 = Enabled]

Stop the virus
---------------------
* stop the service having the path %path% ravmon.exe
* stop the ravmon.exe from task manger
* delete ravmon.exe from the pc
* remove the startup registry value from HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, (don't delete the path only * * delete the ravmon.exe regisry value)
* delete files autorun.inf and ravmon.exe from all drive
Posted by at
Labels:

1 comment:

Anonymous said...

http://forums.clamwin.com/viewtopic.php?p=7514#7514

September 19, 2008 at 2:44 PM

Post a Comment

Subscribe to: Post Comments (Atom)