Virus:Worm/Rjump.E
Date discovered:23/06/2006
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:No
File size:~3.500.000 Bytes
VDF version:6.35.00.61

 General Aliases:
   •  Mcafee: BackDoor-DIJ W32/RJump.worm
   •  Kaspersky: Worm.Win32.RJump.a Worm.Win32.RJump.b
   •  F-Secure: Worm.Win32.RJump.a Worm.Win32.RJump.b
   •  Sophos: Troj/RJump-I W32/RJump-A W32/RJump-G
   •  Eset: Win32/RJump.A Win32/RJump.B
   •  Bitdefender: Worm.RJump.A Win32.Worm.RJump.F Worm.RJump.K


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Registry modification
   • Steals information
   • Third party control

 Files It drops copies of itself using a filename from lists
– To: %WINDIR%\ Using one of the following names:
   • AdobeR.exe
   • RavMonE.exe

– To: %drive%\ Using one of the following names:
   • AdobeR.exe
   • RavMonE.exe




The following file is created:

%drive%\AUTORUN.INF This is a non malicious text file with the following content:
   • %code that runs malware%

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • RavAV = %WINDIR%\RavMonE.exe
   • RavAV = %WINDIR%\AdobeR.exe

 Backdoor The following port is opened:

%executed file% on a random TCP port in order to provide backdoor capabilities.


Contact server:
One of the following:
   • http://natrocket.kmip.net:5288/**********
   • http://natrocket.9966.org:5288/**********
   • http://scipaper.kmip.net/**********

As a result it may send some information. This is done via the HTTP GET request on a PHP script.


Sends information about:
    • Computer name
    • Opened port

Description inserted by Andrei Gherman on Tuesday, May 8, 2007
Description updated by Andrei Gherman on Tuesday, May 8, 2007

Back . . . .