A Computer Infected With Ravmone.exe how to catch it?

[Grafitti 0]

I'm puzzled as to why one of my computers has caught the RavMonE worm/virus, as i have a fully updated NOD32 running, and have also scanned it with McAfee, Norton, and TrendMicro. Nothing catches it, but it's there. It'll run in the system processes and the antivirus doesn't even recognise it. It propagates to all flashdisks i stick in the computer. It doesn't seem to be that difficult to remove, I disabled system restore, deleted it from windows, stopped it from running, got rid of the startup entry and all references in the registry, and it doesn't reappear when i restart the computer. so far, so good. But now if i take an infected flash disk and stick it in the computer, i'm back to square one, as the virusscan does nothing about it. I've also scanned with Lavasoft Adaware and XSoftSpy, but to no avail. Why doesn't it get caught, and what program can catch it for sure?

[Markymark2 0]

Ok well after doing a little research on the worm in question I can say it is because of Norton that you are infected!!
Looks like Apple shipped Ipods with this virus on the disk!!! hahaah even more reason to not use an ipod!!

Virus Profile: W32/RJump.worm
Virus Characteristics

-- Update October 17, 2006 --
W32/RJump.worm has been deemed Low-Profiled due to media attention at http://betanews.com/2006/10/17/apple-ships-ipods-with-windows-virus/



Upon execution, it creates a copy of itself into the windows system directory:
%Windir%\RAVMON.EXE

Also create a non-malicious "RavMonLog" file that contains the port number on which its backdoor component listens.

Adds the following values to the registry to auto start itself when Windows starts.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"RavAV" = "%Windir%\RAVMON.EXE"
Indications of Infection

W32/Rjump.worm creates a port exception for its backdoor component to bypass the built-in firewall of WinXp by executing the following netsh command.

%Windir%\%Sysdir%\cmd.exe /c netsh firewall add portopening TCP 16942 NortonAV

Note: The backdoor port opened is randomly chosen.

Posts ip address and backdoor port information from an infected machine back to the virus author via the following URL:
http://forums.xisto.com/no_longer_exists/.[Removed]:5288/iesocks?peer_id=%s&port=%s&type=%s&ver=4sD
Method of Infection

W32/Rjump.worm lists all mapped and removable storage drives on an infected system and drops the following files onto the root folder of the available drive:
autorun.inf --> used to autorun the worm when the drive is accessed
msvcr71.dll --> Clean Microsoft Visual Studio dll file
ravmon.exe --> copy of the worm

The contents of the autorun.inf are as follows:

[AutoRun]
open=RavMonE.exe e
shellexecute=RavMonE.exe e
shell\Auto\command=RavMonE.exe e
shell=Auto

Infection occurs when a removable storage device or a mapped drive hosting a copy of W32/Rjump.worm is accessed and the user agrees to the auto run prompt for execution of the worm.

It seems theres some code in that exe file that opens up Nortons firewall for a direct link with another IP address..this is really not a good thing!!!

I will say to anyone to dump Norton and its pile of products but here is actually a virus targetted at its users..

Please uninstall of that crap and get a decent virus scanner...one that will probably catch your virus and many more that Norton has failed to find!!!

Go here for AVG Free edition...one of the best Av products on the market and its free!!

I think this virus has been caught by avg a few months ago and the latest realease will take care of it.


Good luck and post back how AVG is amazing and kicked Nortons *bottom*

[BuffaloHelp 24]

Try running FIXWAREOUT by following this article

http://forums.xisto.com/topic/43465-topic/?findpost=297041

Although the situation is different, FixWareout does nice job of finding other hidden trojan in your system.

I would suggest that you format/delete your flashdrive and all other infected external storages and perform your computer system flush at the end. This way you're not getting infected again when you insert your external storage devices.

Have you tried Hijackthis to find out what else can be running in the background?

[nightfox1405241487 0]

Looks like Apple shipped Ipods with this virus on the disk!!! hahaah even more reason to not use an ipod!!

Care to share some information on that one?

[N]F

[Markymark2 0]

Yeah the link was in the post but here goes..

 

I heard about this a few weeks ago..

 

Read the article here..

[yordan 10]

It's removed by starndars McAfee Viruscan installation, see here : http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=139985
If you don't have McAfee ful install, you may user their standalone virus remover named stinger, which is here : http://www.mcafee.com/us/downloads/free-tools/stinger.aspx

Edited December 5, 2006 by yordan (see edit history)

[Grafitti 0]

Ok I tried the McAfee stinger first. It might have worked but i got fed up, after an hour of scanning and it still wasn't finished my C drive of only 160 GB. I didn't bother waiting around for the rest of my drives which would come to another 400 GB. But the AVG free install caught it in 5 minutes, so i must confess there's something AVG can do that NOD32 can't. Glad to be free of it finally.

[Matoking1405241541 0]

You can try to delete it by going to Safe Mode. Then, open Task Manager, and select Processes tab. If there is process Ravmone.exe or similar, end that process. Then go deleting that crap. Use virus scanner to scan your computer. If it finds ravmone, let it delete it. If it doesn't find out, where ravmone is, delete it manually. When you have deleted ravmone and some other virus files, check processes again. If there is nothing relating to ravmone, everything could be okay. If there still is something like that, I can't help. ;)Well, hope everything will be still okay.