Upon execution the worm copies itself to %WINDIR% as RavMonE.exe
and adds the value:
"RavAV" = "%WINDIR%\RavMonE.exe"
to the registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
to make sure it's executed at startup.
It opens a backdoor on a random port and accepts remote commands.
It creates the non-malicious file RavMonLog to store the port number.
It post a HTTP request to let the attacker know about the infected computer's ip-address and the number of the port opened.
When a removable storage device is connected to the infected computer it copies the following files to that device:
autorun.inf (Script to make the worm execute the next time the removable device is connected to a computer)
msvcr71.dll (Clean dll)
ravmon.exe (A copy of the worm)
| 