Win32/RJump [Threat Name] go to Threat

Win32/RJump.A [Threat Variant Name]

Category worm
Size 3.5 MB
Aliases Worm.Win32.RJump.a (Kaspersky)
  BackDoor-DIM (McAfee)
  W32.Rajump (Symantec)
Short description

Win32/RJump.A is a worm that spreads via shared folders and removable media. The worm contains a backdoor. It can be controlled remotely. It is written in Python .

Installation

When executed, the worm copies itself into the %windir% folder using one of the following file names:

  • RavMon.exe
  • RavMonE.exe
  • AdobeR.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "RavAV" = "%windir%\­%variable%.exe"

The %variable% is one of the following strings:

  • RavMon.exe
  • RavMonE.exe
  • AdobeR.exe

The worm may set the following Registry entries:

  • [HKEY_CLASSES_ROOT\­HTTP\­shell]
    • "(Default)" = "open"
  • [HKEY_CLASSES_ROOT\­HTTP\­shell\­open\­command]
    • "(Default)" = ""%drive%\­Program Files\­Internet Explorer\­iexplore.exe" -nohome"
  • [HKEY_CLASSES_ROOT\­htmlfile\­shell]
    • "(Default)" = "opennew"
  • [HKEY_CLASSES_ROOT\­htmlfile\­shell\­open\­command]
    • "(Default)" = ""%drive%\­Program Files\­Internet Explorer\­iexplore.exe" -nohome"
  • [HKEY_CLASSES_ROOT\­InternetShortcut\­shell\­open\­command]
    • "(Default)" = "rundll32.exe shdocvw.dll,OpenURL %l"
Spreading

The worm tries to copy itself to the available shared network folders.


It also copies itself into the root folders of removable drives.


Its filename is one of the following:

  • RavMon.exe
  • RavMonE.exe
  • AdobeR.exe

The following files are dropped in the same folder:

  • autorun.inf
  • msvcr71.dll
Information stealing

The following information is collected:

  • computer IP address
  • opened TCP port number
  • malware version

The worm can send the information to a remote machine.


The worm contains a list of 3 URLs.


The HTTP protocol is used.

Other information

The worm serves as a backdoor.


It can be controlled remotely.


The worm opens a random port.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • terminate running processes
  • create Registry entries
  • delete Registry entries
  • open a specific URL address
  • collect information about the operating system used

The worm launches the following processes:

  • %system%\­cmd.exe /c netsh.exe firewall add portopening TCP %portnumber% NortonAV

A string with variable content is used instead of %portnumber% .


The performed command creates an exception in the Windows Firewall.


The worm may create the text file:

  • RavMonLog

Please enable Javascript to ensure correct displaying of this content and refresh this page.