[RESOLVED]- Rjump issue

system · 2007-06-14T20:18:11.000Z

sasin44 post:36:

na the lab people dont respond…the only way ur sure that wat u mailed them has been noticed is they include it in the future updates… and the response is very slow…if the malware is of no serious threat…

QEHNick post:23:

Ondrej dropped me a line this morning for some more info, what a hero he is!

In this case they did …

@QEHNick

This has downloader capability and may be responsible for the trz##.tmp files. There are several tools we could run against it but I still recommend SDFix first.

Is there any chance of keeping those USB drives away from the PCs for now? They will just continually re-infect them (if I’m not mistaken files transfers from an infected USB drive carries some risk even with autorun turned off).

QEHNick post:35:

Still doesn’t answer why Avast! doesn’t detect “on access”.

No, it doesn’t. Nor does it make sense to allow the infection to continue while a solution to the scanning dilemma is being worked on.

It looks like you’ve had this problem since at least 22 March and, while I have every confidence if the ability of the analysts to solve the scanning dilemma, a two pronged approach seems logical.

Lisandro · 2007-06-14T21:26:25.000Z

QEHNick post:35:

Still doesn’t answer why Avast! doesn’t detect “on access”.

Please, team, drop a line about this… I’m curious too…

system · 2007-06-15T03:23:44.000Z

Tech post:38:

Please, team, drop a line about this… I’m curious too…

A little feedback would be nice …

system · 2007-06-15T07:50:38.000Z

I’m aware of RJUMP connecting to sites to download other malware. Luckily our Webfilter software (websense) blocks all attempts by any malware at connecting to these sites. So at least that avenue is closed to it.
All in all, it causes little impact on our systems, however, it is still an unwanted process.

system · 2007-06-15T11:54:13.000Z

QEHNick post:40:

Luckily our Webfilter software (websense) blocks all attempts by any malware at connecting to these sites. So at least that avenue is closed to it.

The presence of the infected *.tmp files implies otherwise but you’re certainly free to wait if you prefer.

Lisandro · 2007-06-15T12:06:07.000Z

QEHNick post:40:

Luckily our Webfilter software (websense) blocks all attempts by any malware at connecting to these sites.

Are you using it at home or at your office?
Does it work well and worth what you’ve payed for it?
Did you test other content filtering applications? Can you compare them?

Oh, maybe we’re hijacking the thread ;D

system · 2007-06-15T13:16:56.000Z

Tech post:42:

QEHNick post:40:

Luckily our Webfilter software (websense) blocks all attempts by any malware at connecting to these sites.

Are you using it at home or at your office?
Does it work well and worth what you’ve payed for it?
Did you test other content filtering applications? Can you compare them?

Oh, maybe we’re hijacking the thread ;D

Lets put it this way, after using Avast! at home, I sought out Avast! for our corporate network (1500+ machines) and it blew our previous AVS out of the water as regards to performance and cost.
I’ve had exemplary support from Ondrej and his team as well as support from a UK distributor (AVOSEC), I have no complaints about the product at all. Little mysteries like this are fuel for guys like Onrej. He thrives on it.

And yes, since it’s not causing any major problems, I’m happy to wait for the Avast! guys to come up with any ideas. Running rootKit discovery tools on tens of infected PC’s could take forever around here.

Lisandro · 2007-06-15T13:52:51.000Z

My curiosity was about the web filtering products and not about avast 8)

Tech post:42:

QEHNick post:40:

Luckily our Webfilter software (websense) blocks all attempts by any malware at connecting to these sites.

Are you using it at home or at your office?
Does it work well and worth what you’ve payed for it?
Did you test other content filtering applications? Can you compare them?

system · 2007-06-15T14:07:06.000Z

Tech post:44:

My curiosity was about the web filtering products and not about avast 8)

Tech post:42:

QEHNick post:40:

Luckily our Webfilter software (websense) blocks all attempts by any malware at connecting to these sites.

Are you using it at home or at your office?
Does it work well and worth what you’ve payed for it?
Did you test other content filtering applications? Can you compare them?

To quote a famous yellow skinned balding father of 2.

“DOH”

Websense is used at work, It does a very good job. Better than our old webfilter. Cheaper too. Anything I source these days has to fulfill those criteria. Better faster, cheaper; well not so much the faster, this is the NHS!

Lisandro · 2007-06-15T17:24:55.000Z

QEHNick post:45:

To quote a famous yellow skinned balding father of 2.

Who is it?

QEHNick post:45:

“DOH”

??? I’m not English-native… ???

QEHNick post:45:

NHS!

??? I’m not English-native… I’m not following you. Sorry.

DavidR · 2007-06-15T18:28:29.000Z

Tech post:46:

QEHNick post:45:

NHS!

??? I’m not English-native… I’m not following you. Sorry.

NHS = UK National Health Service.

system · 2007-06-16T07:26:20.000Z

QEHNick post:45:

To quote a famous yellow skinned balding father of 2.

“DOH”

QEHNick post:45:

To quote a famous yellow skinned balding father of 2.

Who is it?

QEHNick post:45:

“DOH”

??? I’m not English-native… ???

Homer Simpson? ;D

Lisandro · 2007-06-17T22:12:50.000Z

DavidR post:47:

NHS = UK National Health Service.

Sorry David, makes no sense for me at the original post. I still does not understand.

Spyros post:48:

Homer Simpson? ;D

Not following either ???

DavidR · 2007-06-17T23:28:04.000Z

It relates to the domain path which was preciously queried and a bit of a joke about the NHS in QEHNick’s reference to faster, ‘well not much faster’ it is the NHS!, which isn’t very fast.
In the UK, waiting lists to get treatment are long and waiting time in accident and emergency hours. So the comment is really only going to be understood by those in the UK.

Unfortunately you selective quote of NHS in isolation loses the context for saying NHS, so I only explained what you quoted.

Websense is used at work, It does a very good job. Better than our old webfilter. Cheaper too. Anything I source these days has to fulfill those criteria. Better faster, cheaper; well not so much the faster, this is the NHS!

Do you recognize the domain in these lines O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xqehkl.nhs.uk

system · 2007-06-18T07:23:49.000Z

Yes sorry for the confusing nomenclature.

And Homer simpson has 3 kids not 2, so my bad!

system · 2007-06-18T07:29:17.000Z

Now I might be speaking too soon but…
It appears that Ravmone.exe is now being detected “ON-ACCESS”!! ;D :-*

There have been at least two VPS updates this weekend, did one of them fix the issue?

Can you let us know Vik?

Nick

Lisandro · 2007-06-18T19:28:42.000Z

Which is the virus name?
Check here: http://www.avast.com/eng/vps_history.html

DavidR · 2007-06-18T20:26:47.000Z

The virus name in in the previous posts, and was previously detected by avast on-demand scan but somehow failed to be detected by the on-access scanner.

This is just Nick giving feedback that it is now detected by the on-access scanner.

system · 2007-06-19T07:16:57.000Z

Had a reply from Vik

Yes I think they made some changes that it is now being picked up as "Trojan-Gen" as well... The problem is quite tricky, actually. The RJump thing is actually written in Perl and the executable hosts a whole (redistributable) Perl interpreter engine. As a result, it's quite tricky to detect - and is found only during a deep scan (which is not enabled for on-access).

DavidR · 2007-06-19T11:12:45.000Z

Thanks for the update, very sneaky little beggar indeed. Hopefully this will have helped avast to get a handle on it now it is detected by the on-access scan as you mentioned previously.

Announcements