[RESOLVED]- Rjump issue

[Lisandro]

To quote a famous yellow skinned balding father of 2.

Who is it?

"DOH"

I'm not English-native...

NHS!

I'm not English-native... I'm not following you. Sorry.

[DavidR]

NHS!

I'm not English-native... I'm not following you. Sorry.

NHS = UK National Health Service.

[Spyros]

To quote a famous yellow skinned balding father of 2.

"DOH"

To quote a famous yellow skinned balding father of 2.

Who is it?

"DOH"

I'm not English-native...

Homer Simpson? 

[Lisandro]

NHS = UK National Health Service.

Sorry David, makes no sense for me at the original post. I still does not understand.

Homer Simpson? 

Not following either

[DavidR]

It relates to the domain path which was preciously queried and a bit of a joke about the NHS in QEHNick's reference to faster, 'well not much faster' it is the NHS!, which isn't very fast.
In the UK, waiting lists to get treatment are long and waiting time in accident and emergency hours. So the comment is really only going to be understood by those in the UK.

Unfortunately you selective quote of NHS in isolation loses the context for saying NHS, so I only explained what you quoted.

Websense is used at work, It does a very good job. Better than our old webfilter. Cheaper too. Anything I source these days has to fulfill those criteria. Better faster, cheaper; well not so much the faster, this is the NHS!

Do you recognize the domain in these lines
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xqehkl.nhs.uk

[QEHNick]

Yes sorry for the confusing nomenclature.

And Homer simpson has 3 kids not 2, so my bad!

[QEHNick]

Now I might be speaking too soon but...
It appears that Ravmone.exe is now being detected "ON-ACCESS"!!

There have been at least two VPS updates this weekend, did one of them fix the issue?

Can you let us know Vik?

Nick

[Lisandro]

Which is the virus name?
Check here: http://www.avast.com/eng/vps_history.html

[DavidR]

The virus name in in the previous posts, and was previously detected by avast on-demand scan but somehow failed to be detected by the on-access scanner.

This is just Nick giving feedback that it is now detected by the on-access scanner.

[QEHNick]

Had a reply from Vik

Yes I think they made some changes that it is now being picked up as "Trojan-Gen" as well... The problem is quite tricky, actually. The RJump thing is actually written in Perl and the executable hosts a whole (redistributable) Perl interpreter engine. As a result, it's quite tricky to detect - and is found only during a deep scan (which is not enabled for on-access).

[DavidR]

Thanks for the update, very sneaky little beggar indeed. Hopefully this will have helped avast to get a handle on it now it is detected by the on-access scan as you mentioned previously.