由ESET发出的新的Win32/RJump.A病毒介绍

傻猪猪米走鸡

Last virus description:
Name: Win32/RJump.A
Insert date: 2007-11-16 09:49:40
Win32/RJump.A

Aliases: Worm.Win32.RJump.a (Kaspersky), BackDoor-DIM (McAfee), W32.Rajump (Symantec)   Type of infiltration: Worm Size: approximately 3.5 MB Affected platforms: Microsoft® Windows® Signature database version: 1991 (20070119)   Short description: Win32/RJump.A is a worm that spreads via shared folders and on removable media. The worm contains a backdoor. It can be controlled remotely. It is written in Python.

Installation
When executed, the worm copies itself in the %windir% folder using one of the following filenames:

RavMon.exe

RavMonE.exe

AdobeR.exe

In order to be executed on every system start, the worm sets the following Registry entry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RavAV" = "%windir%\%variable%.exe"

The %variable% is one of the following strings:

RavMon.exe

RavMonE.exe

AdobeR.exe

The following Registry entries may be set:

[HKEY_CLASSES_ROOT\HTTP\shell]
"(Default)" = "open"

[HKEY_CLASSES_ROOT\HTTP\shell\open\command]
"(Default)" = ""%drive%\Program Files\Internet Explorer\iexplore.exe" -nohome"
[HKEY_CLASSES_ROOT\htmlfile\shell]
"(Default)" = "opennew"

[HKEY_CLASSES_ROOT\htmlfile\shell\open\command]
"(Default)" = ""%drive%\Program Files\Internet Explorer\iexplore.exe" -nohome"
[HKEY_CLASSES_ROOT\InternetShortcut\shell\open\command]
"(Default)" = "rundll32.exe shdocvw.dll,OpenURL %l"

Spreading
The worm tries to copy itself to the available shared network folders. It also copies itself into the root folders of removable drives. Its filename is one of the following:

RavMon.exe

RavMonE.exe

AdobeR.exe

The following files are dropped in the same folder:

autorun.inf

msvcr71.dll

Information stealing
The following information is collected:

computer IP address

opened TCP port number

malware version

The worm can send the information to a remote machine. The worm contains a list of 3 URLs. The HTTP protocol is used.

Other information
The worm serves as a backdoor. It can be controlled remotely. The worm opens a random TCP port. It may perform the following actions:

download files from a remote computer and/or Internet

run executable files

terminate running processes

create Registry entries

delete Registry entries

open a specific URL address

collect information about the operating system used

The worm launches the following processes:

%system%\cmd.exe /c netsh.exe firewall add portopening TCP %portnumber% NortonAV

A string with variable content is used instead of %portnumber%.

The performed command creates an exception in the Windows Firewall program.

The worm may create the text file:

RavMonLog

zwl2828

学习了....