Worm:Win32/RJump.F is a worm that attempts to spread by copying itself to local, removable and network drives. It also contains functionality that allows an attacker to download and execute arbitrary files, including additional malicious software, on the user’s machine.
Installation
When executed, the worm copies itself to %windir%\SVCHOST.EXE and modifies the registry so that this file cannot be viewed with Explorer:
Adds value: "CheckedValue"
With data: "0"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\SHOWALL
Adds value: "Hidden"
With data:"2"
To subkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced.
Note: %windir% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; and for XP and Vista is C:\Windows.
The worm also drops the following files:
- %windir%\mdm.exe (detected by our scanners as TrojanSpy:Win32/VBStat.AD)
- %windir%\svchost.ini (a configuration file that contains a version number for the worm and the name of a hidden window that it creates)
Worm:Win32/RJump.F checks if another instance of the worm is running by looking for an “SVCHOST” class window with the window name specified in the configuration file svchost.ini. If such an instance exists, RJump.F forces it to exit.
Worm:Win32/RJump.F executes “mdm.exe”. This file modifies the registry in order to execute itself at each Windows start.
Adds value: "SVCHOST"
With data: "%windir%\mdm.exe"
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
This file then executes “%windir%\svchost.exe”.
Spreads Via…
Local, Removable and Network Drives
In order to spread, the worm copies itself to any newly attached media, such as USB storage devices, local and network drives as "ravmon.exe". In order to execute this new copy, it also creates an INF file, "autorun.inf", that contains the following text:
[AutoRun]
open=RavMon.exe
shell\open='ò¿ª(&O)
shell\open\Command=RavMon.exe
shell\explore=xEO'1ÜAíÆ÷(&X)
shell\explore\Command="RavMon.exe -e"
Payload
Downloads and Executes Arbitrary Files
The worm initiates a connection to “hxxp://chaccent.cn/task.asp?mac=[MAC address of the infected machine]” and downloads content to “%temp%\<random filename>.tmp. This content is then executed.