Home / malware Win32.Worm.RJump.B
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Win32.Worm.RJump.B.
Explanation :
The worm is written in Python and converted to a Windows executable.
When executed, it copies itself to
%WINDIR%RavMonE.exe
and creates the registry key
HKLMSoftwareMicrosoftWindowsCurrentVersionRunRavAV ="%WINDIR%RavMonE.exe"
in order to be executed at startup.
The worm copies itself to the USB drives together with an autorun script, detected by BitDefender as Trojan.Autorun.EU.
Also, the worm have backdoor capabilities, and when executed, starts listening on a random port, and posts the local IP and port number to URLs :
http://natrocket.????.net:5288/return
http://natrocket.????.net:5288/iesocks
http://natrocket.????.org:5288/iesocks
http://scipaper.????.net:80/iesocksLast update 21 November 2011