Win32/RJump [Threat Name] go to Threat

Win32/RJump.A [Threat Variant Name]

Category worm
Size 3.5 MB
Aliases Worm.Win32.RJump.a (Kaspersky)
  BackDoor-DIM (McAfee)
  W32.Rajump (Symantec)
Short description

Win32/RJump.A is a worm that spreads via shared folders and removable media. The worm contains a backdoor. It can be controlled remotely. It is written in Python .


When executed, the worm copies itself into the %windir% folder using one of the following file names:

  • RavMon.exe
  • RavMonE.exe
  • AdobeR.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "RavAV" = "%windir%\­%variable%.exe"

The %variable% is one of the following strings:

  • RavMon.exe
  • RavMonE.exe
  • AdobeR.exe

The worm may set the following Registry entries:

    • "(Default)" = "open"
  • [HKEY_CLASSES_ROOT\­HTTP\­shell\­open\­command]
    • "(Default)" = ""%drive%\­Program Files\­Internet Explorer\­iexplore.exe" -nohome"
  • [HKEY_CLASSES_ROOT\­htmlfile\­shell]
    • "(Default)" = "opennew"
  • [HKEY_CLASSES_ROOT\­htmlfile\­shell\­open\­command]
    • "(Default)" = ""%drive%\­Program Files\­Internet Explorer\­iexplore.exe" -nohome"
  • [HKEY_CLASSES_ROOT\­InternetShortcut\­shell\­open\­command]
    • "(Default)" = "rundll32.exe shdocvw.dll,OpenURL %l"

The worm tries to copy itself to the available shared network folders.

It also copies itself into the root folders of removable drives.

Its filename is one of the following:

  • RavMon.exe
  • RavMonE.exe
  • AdobeR.exe

The following files are dropped in the same folder:

  • autorun.inf
  • msvcr71.dll
Information stealing

The following information is collected:

  • computer IP address
  • opened TCP port number
  • malware version

The worm can send the information to a remote machine.

The worm contains a list of 3 URLs.

The HTTP protocol is used.

Other information

The worm serves as a backdoor.

It can be controlled remotely.

The worm opens a random port.

It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • terminate running processes
  • create Registry entries
  • delete Registry entries
  • open a specific URL address
  • collect information about the operating system used

The worm launches the following processes:

  • %system%\­cmd.exe /c netsh.exe firewall add portopening TCP %portnumber% NortonAV

A string with variable content is used instead of %portnumber% .

The performed command creates an exception in the Windows Firewall.

The worm may create the text file:

  • RavMonLog

Please enable Javascript to ensure correct displaying of this content and refresh this page.