FRISK Software International

Summary of W32/RJump
Discovered: 17 Oct 2006
Definition files: 17 Oct 2006
Risk Level: Low
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
W32/RJump is a backdoor worm that replicates by coping itself to removable storage devices such as USB-drives.

It made the news after Apple accidentally distributed it with some of its new iPods.

Technical Description
Upon execution the worm copies itself to %WINDIR% as RavMonE.exe

and adds the value:

"RavAV" = "%WINDIR%\RavMonE.exe"

to the registry key:


to make sure it's executed at startup.

It opens a backdoor on a random port and accepts remote commands.

It creates the non-malicious file RavMonLog to store the port number.

It post a HTTP request to let the attacker know about the infected computer's ip-address and the number of the port opened.

When a removable storage device is connected to the infected computer it copies the following files to that device:

autorun.inf (Script to make the worm execute the next time the removable device is connected to a computer)
msvcr71.dll (Clean dll)
ravmon.exe (A copy of the worm)

Removal Instructions
For general removal instructions please click here.

Marteinn Žór Haršarson

Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:


perComp Verlag
(in German)