Worm.Win32.RJump

Detect Date 05/17/2007
Class Worm
Platform Win32
Description

This Trojan has a malicious payload. It is a Windows PE EXE file. It is 945664 bytes in size. It is not packed in any way. It is written in Delphi.

Installation

When launched, the Trojan copies itself as shown below:

%Documents and Settings%%user%Start MenuProgramsStartupRavMonE.exe

%Documents and Settings%%user%Start MenuProgramsStartupavp.exe

%System%RavMon.exe

The Trojan creates the following registry key with installation data:

[HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerrm]

It also creates the following system registry key values:

[HKCRSoftwareMicrosoftInternet Account]

 “Expire Days” = “dword:8”

[HKCRControl PanelDesktop]

 “AutoEndTasks” = “1”

In order to ensure that the Trojan is launched automatically each time the system is restarted, the Trojan registers its executable file in the system registry:

[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]

 “RavAV” = “%Documents and Settings%%user%Start MenuProgramsStartupRavMonE.exe”

 “RavMon” = “%System%RavMon.exe”