HOME > VIRUS ALERTS


VIRUS ALERTS

RJump Worm

Original issue date: November 01, 2007

It has been observed that a worm named RJump is circulating widely. It propagates by dropping its copy into removable drives and network drives with random names. It establishes a SOCKS Proxy on infected system for facilitating malicious activities such as Spam.

The worm opens a backdoor on the compromised system and prevents Windows firewall from blocking the malicious port activity. It sends information related to the status of the infected system and the port number being used for the establishment of a SOCKS proxy to certain websites hosted by the attacker. The SOCKS proxy port number is stored in a file named 'RavMonLog', which is created in either the same location as the worm's executable, or in the user's %UserProfile% directory. After successful infection, the Worm waits for the remote attacker's commands to perform the malicious activities.

Aliases : Worm:Win32/RJump [Microsoft], Worm.Win32.RJump [Kaspersky], W32.Rajump [Symantec], WORM_RJUMP [Trend Micro], Worm.Win32.RJump.a Worm.Win32.RJump.b [F-Secure]

The worm copy itself to any of the following executable : (any of the following)

  • RavMon.exe
  • RavMonE.exe
  • AdobeR.exe
  • bittorrent.exe
  • mdm.exe

Upon execution , the worm :

  • Copies itself to the following location :
    %windir%
  • Creates the following registry entry to ensure its execution
    at every system startup
    Values: "RavAV" or "Bittorrent"
    With data: "<path to worm executable>"
    To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    \CurrentVersion\Run
  • Creates an INF file in order to execute the abovesaid malicious file that contains the following text:
    [AutoRun]
    open = <file name> e
    shellexecute = <file name> e
    shell\Auto\command = <file name> e
    shell = Auto
  • Modifies the following registry keys in order to set Internet
    Explorer as the default browser on the compromised system:
    • HKEY_CLASSES_ROOT\HTTP\shell\(Default) = "open"
    • HKEY_CLASSES_ROOT\HTTP\shell\open\command\
      (Default) = ""C:\Program Files\Internet Explorer\
      iexplore.exe" -nohome"
    • HKEY_CLASSES_ROOT\htmlfile\shell\(Default) = "
      opennew"
    • HKEY_CLASSES_ROOT\htmlfile\shell\open\command
      \(Default) = ""C:\Program Files\Internet Explorer\
      iexplore.exe" -nohome"
    • HKEY_CLASSES_ROOT\InternetShortcut\shell\open\
      command\(Default) = "rundll32.exe shdocvw.dll,
      OpenURL %l"

In view of rapid propagation of the RJump worm, users are advised to implement the following countermeasures:

  • Delete executables with the abovementioned names
  • Install and maintain updated anti-virus software at gateway and desktop level
  • Keep up-to-date on patches and fixes on the operating system.
  • Scan removable media before using for detecting the malware
  • Install and maintain Desktop Firewall and block the ports which are not required

References

Microsoft
http://www.microsoft.com/security/encyclopedia/details.aspx
?name=Win32%2fRjump

Symantec
http://www.symantec.com/security_response/writeup.jsp?docid=
2006-062310-0921-99

Trend Micro
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=WORM%5FRJUMP%2EA&VSect=P

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003