RavMonE.exe
Encyclopedia
RavMonE, known more correctly as RJump, is a Trojan
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...

 that opens a backdoor on computers running Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...

. Once a computer is infected, the virus allows unauthorized users to gain access to the computer's contents. This poses a security risk for the infected machine's user, as the attacker can steal personal information, and use the computer as an access point into an internal network
Intranet
An intranet is a computer network that uses Internet Protocol technology to securely share any part of an organization's information or network operating system within that organization. The term is used in contrast to internet, a network between organizations, and instead refers to a network...

.

RavMonE was made famous in September 2006 when a number of iPod videos were shipped with the virus already installed. Because the virus only infects Windows computers, it can be inferred that Apple's
Apple Computer
Apple Inc. is an American multinational corporation that designs and markets consumer electronics, computer software, and personal computers. The company's best-known hardware products include the Macintosh line of computers, the iPod, the iPhone and the iPad...

 contracted manufacturer was not using Macintosh computers. Apple came under some public criticism for releasing the virus with their product.

Description

RavMonE is a worm
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...

 written in the Python
Python (programming language)
Python is a general-purpose, high-level programming language whose design philosophy emphasizes code readability. Python claims to "[combine] remarkable power with very clear syntax", and its standard library is large and comprehensive...

 scripting language and was converted into a Windows executable file using the Py2Exe tool. It attempts to spread by copying itself to mapped and removable storage drives. It can be transmitted by opening infected email attachments and downloading infected files from the Internet. It can also be spread through removable media, such as CD-ROM
CD-ROM
A CD-ROM is a pre-pressed compact disc that contains data accessible to, but not writable by, a computer for data storage and music playback. The 1985 “Yellow Book” standard developed by Sony and Philips adapted the format to hold any form of binary data....

s, flash memory
USB flash drive
A flash drive is a data storage device that consists of flash memory with an integrated Universal Serial Bus interface. flash drives are typically removable and rewritable, and physically much smaller than a floppy disk. Most weigh less than 30 g...

, digital cameras
Digital camera
A digital camera is a camera that takes video or still photographs, or both, digitally by recording images via an electronic image sensor. It is the main device used in the field of digital photography...

 and multimedia players
Portable media player
A portable media player or digital audio player, is a consumer electronics device that is capable of storing and playing digital media such as audio, images, video, documents, etc. the data is typically stored on a hard drive, microdrive, or flash memory. In contrast, analog portable audio...

.

Action

Once the virus is executed, it performs the following tasks.
  1. It copies itself to %WINDIR% as RavMonE.exe.
  2. It adds the value "RavAV" = "%WINDIR%\RavMonE.exe" to the registry
    Windows registry
    The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user...

     key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  3. It opens a random port
    Computer port (software)
    In computer programming, port has a wide range of meanings.A software port is a virtual/logical data connection that can be used by programs to exchange data directly, instead of going through a file or other temporary storage location...

     and accepts remote commands.
  4. It creates a log file RavMonLog to store the port number.
  5. It posts a HTTP request to advise the attacker of the infected computer's IP address
    IP address
    An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...

     and the number of the port opened.

When a removable storage device is connected to the infected computer it copies the following files to that device:
  • autorun.inf
    Autorun
    AutoRun and the companion feature AutoPlay are components of the Microsoft Windows operating system that dictate what actions the system takes when a drive is mounted....

     - a script to execute the worm the next time the device is connected to a computer
  • msvcr71.dll - a Microsoft C
    C (programming language)
    C is a general-purpose computer programming language developed between 1969 and 1973 by Dennis Ritchie at the Bell Telephone Laboratories for use with the Unix operating system....

     Runtime Library module containing standard functions such as to copy memory and print to the console
  • ravmon.exe - a copy of the worm

Aliases

  • Backdoor.Rajump (Symantec)
  • W32/Jisx.A.worm (Panda)
  • W32/RJump-C (Sophos)
  • W32/RJump.A!worm (Fortinet)
  • Win32/RJump.A (ESET)
  • Win32/RJump.A!Worm (CA)
  • Worm.RJump.A (BitDefender)
  • Worm.Win32.RJump.a (Kaspersky)
  • Worm/Rjump.E (Avira)
  • WORM_SIWEOL.B (TrendMicro)
  • Worm/Generic.AMR (AVG)
  • INF:RJump[Trj](Avast!)

External links

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK