Home / malware Worm:Win32/RJump.J
First posted on 31 March 2020.
Source: MicrosoftAliases :
Worm:Win32/RJump.J is also known as Worm.Win32.RJump.a, W32/RJump-H, W32.Rajump, WORM_RJUMP.A.
Explanation :
Worm:Win32/RJump.J is a worm that attempts to spread by copying itself to newly attached media (such as USB storage devices or network drives). It also contains backdoor functionality that allows an attacker unauthorized access to an affected machine. When executed, Worm:Win32/RJump.J copies itself to the %windir% directory with a file name that may vary according to minor variant. Microsoft has observed Worm:Win32/RJump.J using the following file names in the wild: RavMon.exe RavMonE.exe AdobeR.exe bittorrent.exe Note: %windir% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Windows directory for Windows 2000 and NT is C:Winnt; and for XP and Vista is C:Windows. The worm also modifies the registry to execute this copy at each Windows start (for example):
Values: "RavAV" or "Bittorrent"
With data: ""
To subkey: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun The worm may also modify the following registry keys in order to set Internet Explorer as the default browser on the affected machine:
HKEY_CLASSES_ROOTHTTPshell(Default) = "open"
HKEY_CLASSES_ROOTHTTPshellopencommand(Default) = ""C:Program FilesInternet Exploreriexplore.exe" -nohome"
HKEY_CLASSES_ROOThtmlfileshell(Default) = "opennew"
HKEY_CLASSES_ROOThtmlfileshellopencommand(Default) = ""C:Program FilesInternet Exploreriexplore.exe" -nohome"
HKEY_CLASSES_ROOTInternetShortcutshellopencommand(Default) = "rundll32.exe shdocvw.dll,OpenURL %l" In order to spread, the worm copies itself (using one of the aforementioned file names) to any newly attached media, such as USB storage devices or network drives. In order to execute this new copy, it also creates an INF file that contains the following text: [AutoRun]
open =e
shellexecute =e
shellAutocommand =e
shell = Auto For example: [AutoRun]
open = RavMon.exe e
shellexecute = RavMon.exe e
shellAutocommand = RavMon.exe e
shell = Auto Backdoor Functionality / SOCKS ProxyThe worm connects to one of several websites and sends an identifier for the local infected machine (the local machine's computer name) and the port number being used for the establishment of a SOCKS proxy. The SOCKS proxy port number is stored in a file named 'RavMonLog', which is created in either the same location as the worm's executable, or in the user's %UserProfile% directory. (A typical location for this folder is C:Documents and Settings.) Some variants may also manipulate or remove browser cookies. Note: In 2006, a small number of Video iPods were shipped that were infected with RJump. For more information, please see http://www.apple.com/support/windowsvirus/. Last update 31 March 2020