[RESOLVED]- Rjump issue

[QEHNick]

We currently have lots and lots of PC's infected with Ravmon (aka Rjump).

For some odd reason Avast (all up to date etc) is not picking them up.

I read in THIS THREAD about turning up the Standard Shield scan to HIGH. Will this really help?

[sasin44]

hi...may be it is a varient...of the same please mail it to avast zipped with password.."virus" to
virus@avast.com
u can use 7z. its free
 http://www.7-zip.org/download.html
and one more question how did u come to know ur PC was infected.. do u have any other anti-virus??
and about ur standard shield question...
and from my personal experience
turning ur sensitivity to high actual helps in detecting the malware when the malware is present in the current explorer window..[ie:u dont have to point to it or click on it for detection]..it does not serve any other purpose..
and it kinda slows down ur os a bit..noticed it comps with less RAM

[polonus]

Hi GHENick,

You have to disable system restore, else this malware is restored after cleansing.
Disabling System Restore on Windows XP

IMPORTANT NOTES:

    * You must be logged in as an Administrator to do this. If you are not logged in as an Administrator, the System Restore tab will not be displayed.
    * Turning off System Restore will clear out all previous restore points.

To turn off Windows XP System Restore:

NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives" as shown in this illustration:
5. Click Apply.
6.  When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Proceed with what you need to do; for example, virus removal. When you have finished, restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
5. Click Apply, and then click OK.

Starting System Restore From a Command Prompt in Windows XP

1. Restart your computer or turn the computer on
2. Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
3. Select the "Safe Mode with Command Prompt option" and press Enter
4. Log on to the computer with an administrator account
5. Type the following at the command prompt and press Enter

%systemroot%\system32\restore\rstrui.exe

6. Follow the onscreen instructions to restore your computer to an earlier time.

Re-enabling System Restore in Windows XP via the Group Policy Editor

In some cases, System Restore is disabled via the Group Policy Editor. In these cases, System Restore does not show up as a tab under My Computer Properties in Windows XP. If it doesnt show up, the question becomes how do you turn it on in the first place. To re-enable System Restore via the Group Policy Editor, follow these directions:

1) Start the Group Policy Editor by clicking on Start, Run and typing gpedit.msc in the Run box and pressing Enter
2) In the left hand column, click on Computer Configuration, Administrative Templates, System, System Restore
3) In the right hand column, set Turn off System Restore and Turn off Configuration to Disable
4) Minimize the Group Policy Editor
5) Right click on My Computer and Select Manage
6) In the right hand column, double click on Services and Applications, then Services
7) Find the System Restore Service and double-click to open
On the General tab set [Startup Type] to Automatic using the drop down list
9) Click the Start button to start the service
10) Close the Computer Management console
11) Maximize the Group Policy Editor and set Turn off System Restore and Turn off Configuration to Not Configured
12) Close Group Policy Editor and reboot the system.
13) Once the system is rebooted, Click on Start, Right-click on My Computer, click on Properties and the System Restore tab should appear again.
Disabling System Restore on
Windows Vista

To turn off Windows Vista System Restore:

1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK
9. When you have finished, restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows Vista System Restore:

1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Place a checkmark in the box for any drive you wish to enable System Restore on
7. Click OK
Microsoft Article on Viruses and _Restore Folder

polonus

[QEHNick]

Thanks for the replies, I should have been more clear in my first post.
It is detected when an "on demand" scan is run, however not "on access".
We became aware of it as our Webfiltering software was picking up enormous ammounts of attempted hits on a particular site, which turns out to be associated with RJUMP.
Checking out the suspect PC's revealed RAVMONE running in system memory.

None of the machines here have System restore active, by group policy we switched it off years ago just because of the virus problems.

[mauserme]

Do you get only memory detections, or file detections too?  If avast! is detecting infected files a boot scan may solve the problem, but if the computers are networked you will have to isolate them to avoid reinfection.

Also check removable drives, especially USB drives.

[QEHNick]

No memory detections at all, it will quite happily show in the task manager list, several times in fact.
Doing a on demand scan removes it.
And yes, the USB devices are a big issue, Avast doesn't pick it up from those unless you do an on demand scan too.
Then the USB device infects the computer, again, not detected by avast.
It's really peculiar, I've trusted Avast since day one, it's never let me down until now.

[mauserme]

If you mount the usb drive on an infected computer, isolote this from the network, and execute an on demand scan of all drives (inlcuding the usb device), will this not clean it?

[Lisandro]

Then the USB device infects the computer, again, not detected by avast.

I read in THIS THREAD about turning up the Standard Shield scan to HIGH. Will this really help?

Did you turn on the High sensibility and even in this case avast allows the infection of the computer?
Did you send the file for avast analysis?

[QEHNick]

Well I haven't considered sending the file to Avast as it is detected and removed when an on demand scan is done, so I assume that Avast will detect it, but it doesn't unless an on demand scan is run.

Setting the high sensetivity made no change.

[Lisandro]

Unless an on demand scan is run.
Setting the high sensetivity made no change.

Is this file packed (zip, arj, cab...) in any way?
The on-access scanning is less deep than the thorough on-demand scannings due to performance maintenance.

Did you try antitrojan, antispyware and specially antirootkit tools?

[QEHNick]

No, none of the above. There's nothing special about it at all, it's just R-JUMP (Ravmone).
It's not a case of it hiding, it's removed when a scan has been done.
Trouble is, re-infection occurs when a USB storage device (infected elsewhere) is plugged in. Avast! doesn't detect the initial infection UNTIL an on demand scan is done. Consequently it lingers around.
What I have done at the moment is schedule a scan every Friday lunchtime (I would do it more often but our users complain it affects their systems too much). This gets ruid of any infections, but due to the USB thing, it comes back within a couple of days.
If only Avast! would scan any inserted USB storage device immediately there wouldn't be this issue.

[sasin44]

well if avast does not detect it in the USB drive for some reason..u could consider the option of turning off the autorun(autoplay) option on pen drives..so when the pen drive is inserted u can scan the pen drive on demand and remove the virus from them..and if u plan it out by scaning all the systems during boot time..and removing all the viruses from the pen drives.at the same time..it should be gone for good....
steps to turn off autorun
1. Click Start > Run
2. Type “gpedit.msc”
3. Computer Configuration > Click “Administrative Templates” > Click “System” > Double-Click “Turn off Autoplay”
4. Setting tab > Check “Enabled” > Select “All drives” from the drop down menu > Apply > Ok
There are 4 easy steps to making sure that Autoplay (Autorun) is disabled on all your drives including the USB. That would remove the ability of people to insert a USB drive and automatically run a .exe on your computer by using a *.inf file.

and remember after insertin =g the pen drive U SHOULD RIGHT CLICK ON IT AND CHOSE THE "EXPLORE" OPTION....left clicking on it will cause the autorun of the virus...

and the my second thought is that maybe avast is not detecting it cos it may be a new varient.and may have a different signature...so please email it to avast..and explain ur problem to them in the body of the letter ....
 

[Lisandro]

If only Avast! would scan any inserted USB storage device immediately there wouldn't be this issue.

Use the High sensitivity level of Standard Shield.

[QEHNick]

If only Avast! would scan any inserted USB storage device immediately there wouldn't be this issue.

Use the High sensitivity level of Standard Shield.

I've had to turn that (high sensetivity) off because it impacts on the performance on some of our critical systems.
We've debated turning off autorun, and we will do it as soon as possible.
We have apporximatley 3000 USb storage devices on our network, getting users to scan them manually is not an easy task!

I will capture a Ravmon sample and send it on, but I anticipate it to be the run-of-the-mill flavour.

[QEHNick]

I haven't heard back from the lab.
Do they normally respond in person?
How will I know if the sample I submitted was a new variant or jus tthe old one?