Date discovered:06/08/2006
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:3.515.723 Bytes
MD5 checksum:3efdfddfffe5cf4ad40c5368c336a702
IVDF version: - Sunday, August 6, 2006

 General Aliases:
   •  Sophos: W32/RJump-H
   •  Panda: Bck/Simut.A
   •  Eset: Win32/RJump.A
   •  Bitdefender: Trojan.Generic.1618020

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads a malicious file
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\RavMonE.exe

The following file is created:

%malware execution directory%\RavMonLog

It tries to download a file:

– The locations are the following:
   • http://natrocket.kmip.net:5288/**********?peer_id=%character string%&port=%character string%&type=%character string%&ver=%character string%
   • http://natrocket.9966.org:5288/**********?peer_id=%character string%&port=%character string%&type=%character string%&ver=%character string%
   • http://scipaper.kmip.net:80/**********?peer_id=%character string%&port=%number%&type=%character string%&ver=%number%

It tries to executes the following files:

– Filename:
   • %SYSDIR%\cmd.exe /c netsh firewall add portopening TCP 17841 NortonAV

– Filename:
   • netsh firewall add portopening TCP 17841 NortonAV

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "RavAV"="%WINDIR%\RavMonE.exe"

説明の挿入者 Petre Galan の 2010年4月22日木曜日
説明の更新者 Petre Galan の 2010年4月22日木曜日

戻る . . . .