WORM_RJUMP.D

Malware type: Worm

Aliases: No Alias Found

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

Medium

Infection Channel 1 : Propagates via removable drives


Description: 

This worm usually arrives on a system as a file dropped by other malware.

Upon execution, it drops a copy of itself as ADOBER.EXE in the Windows folder.

It also creates a file named ADOBER.EXE.LOG in the folder where this worm executes.

It propagates by dropping a legitimate Microsoft file, as well a copy of itself, in all removable drives.

Using a random TCP port, it allows a remote malicious user to connect to the affected system and execute several commands. The said routine provides the remote user virtual control over the affected system, thus compromising system security.

This worm is capable of stealing IP addresses. It saves the gathered information in the .LOG file mentioned earlier, then sends the said file to certain URLs.

For additional information about this threat, see:

Description created: Nov. 21, 2006 7:59:02 PM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 3,290,112 Bytes

Ports used: Random TCP ports

Initial samples received on: Oct 12, 2006

Payload 1: Compromises system security

Payload 2: Steals information

Details:

Installation and Autostart Technique

This worm usually arrives on a system as a file dropped by other malware.

Upon execution, it drops a copy of itself as ADOBER.EXE in the Windows folder.

It also creates a file named ADOBER.EXE.LOG in the folder where this worm executes.

This worm creates the following registry entry to ensure its automatic execution at every Windows startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
RavAV = "%Windows%\ADOBER.EXE"

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Propagation via Removable Drives

This worm propagates by dropping the following files in all removable drives:

  • MSVCR71.DLL - legitimate Microsoft file
  • ADOBER.EXE - copy of itself

Backdoor Capabilities

Using a random TCP port, this worm allows a remote malicious user to connect to the affected system and execute the following commands:

  • Create or delete registry entries
  • Create threads
  • Download or execute files
  • Get file or system information
  • Stop or start services
  • Terminate processes

The said routine provides the remote user virtual control over the affected system, thus compromising system security.

Information Theft

This worm is capable of stealing IP addresses. It saves the gathered information in the .LOG file mentioned earlier, then sends the said file to the following URLs:

  • http://{BLOCKED}trocket.9966.org:5288/iesocks?peer_id=%s&port=%s&type=%s&ver=5cnicsH
  • http://{BLOCKED}trocket.kmip.net:5288/iesocks?peer_id=%s&port=%s&type=%s&ver=5cnict
  • http://{BLOCKED}trocket.kmip.net:5288/return?i
  • http://{BLOCKED}ipaper.kmip.net:80/iesocks?peer_id=%s&port=%s&type=%s&ver=5cnici

Affected Platforms

This worm runs on Windows 98, ME, NT, 2000, XP, and Server 2003.

Analysis By: Carlo Panganiban

Revision History:

First pattern file version: 3.842.01
First pattern file release date: Oct 12, 2006

SOLUTION


Minimum scan engine version needed: 8.000

Pattern file needed: 3.843.00

Pattern release date: Oct 13, 2006


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Terminating the Malware Program

This procedure terminates the running malware process.

  1. Open Windows Task Manager.
    • On Windows 98 and ME, press
    CTRL%20ALT%20DELETE
    • On Windows NT, 2000, XP, and Server 2003, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the process:
    ADOBER.EXE
  3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your computer.
  4. To check if the malware process has been terminated, close Task Manager, and then open it again.
  5. Close Task Manager.

*NOTE: On computers running Windows 98 and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process.

On computers running all Windows platforms, if the process you are looking for is not in the list displayed by Task Manager or Process Explorer, continue with the next solution procedure, noting additional instructions. If the malware process is in the list displayed by either Task Manager or Process Explorer, but you are unable to terminate it, restart your computer in safe mode.

Editing the Registry

This malware modifies the computer's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:

  1. HOW TO: Backup, Edit, and Restore the Registry in Windows 95, 98, and Windows ME
  2. HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
  3. HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
  4. HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

If the registry entry below is not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>
    CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    RavAV = "%Windows%\ADOBER.EXE"
    (Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
  4. Close Registry Editor.

Deleting the Malware File(s)

  1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
  2. In the Named input box, type:
    ADOBER.EXE.LOG
  3. In the Look In drop-down list, select the drive that contains Windows, then press Enter.
  4. Once located, select the file then press SHIFT%20DELETE.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as WORM_RJUMP.D. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.