Detect Date 05/17/2007
Class Worm
Platform Win32

This Trojan has a malicious payload. It is a Windows PE EXE file. It is 945664 bytes in size. It is not packed in any way. It is written in Delphi.


When launched, the Trojan copies itself as shown below:

%Documents and Settings%%user%Start MenuProgramsStartupRavMonE.exe

%Documents and Settings%%user%Start MenuProgramsStartupavp.exe


The Trojan creates the following registry key with installation data:


It also creates the following system registry key values:

[HKCRSoftwareMicrosoftInternet Account]

 “Expire Days” = “dword:8”

[HKCRControl PanelDesktop]

 “AutoEndTasks” = “1”

In order to ensure that the Trojan is launched automatically each time the system is restarted, the Trojan registers its executable file in the system registry:


 “RavAV” = “%Documents and Settings%%user%Start MenuProgramsStartupRavMonE.exe”

 “RavMon” = “%System%RavMon.exe”

Find out the statistics of the threats spreading in your region