IT: Latest findings of the despicable RavMon.exe virus and its mutant brothers (by myself)
IT – Information Techonology
Hi, before you read any further, please note I’m no computer virus expert, in fact I’m a ill-destined victim of this “worm”, as rightfully called according to its characteristics. Please click here to know difference between virus, worm, trojan and much more.

Worms are always prey for others, but now they are preying on others......
Before you decide to skip this “boring” blog entry, read the few lines below first, you won’t regret it... ...
1) Do you want your 512MB or 1GB thumb drive to be damaged all of a sudden, with no files accessible to you?
2) Do you visit Internet cafes often, equipped with an external storage device? If yes, the following content will rescue you from seeing your device go awry. It happened to me in Jakarta. It can happen to you too.
Read on…….. You’ll surely learn something to your advantage.
Last night till this morning was an exhausting time for me as I spent several hours surfing the Internet to look for solutions to eradicate the worm RavMon.exe. Its presence was alerted by my brother, who’s much more knowledgeable in IT staff. But as he was sick and had to sleep early, it was left to me, a computer virus layman, to tackle the problem alone.
A bit of history here... ... Some search engines on the Internet revealed that it’s a relatively new worm which started to wreak havoc only this year. Surprisingly it subsequently reached worldwide fame when a September 2006 shipment of Apple Video iPods was attacked by it. See here for more. Not too long ago really.
RavMon.exe, together with its mutants with varying suffixes, operates in Windows environment and has actually been linked to an authentic anti-virus software.
As a result, I suppose it has somehow escaped attention from most experts. Currently, it has been termed as a not-so-malicious worm by leading anti-virus firms. However most agree that its effects are still not fully known. I suspect future variants will be more powerful.
The good thing is it can be deleted easily from your system if you follow a set of straight-forward instructions. But to my thumb drive which has accompanied me for about 2 years, it came a bit late... ...

The worm in action...... Never realised it can kill till now.... It may multiply very fast and eventually replace the files in your thumb drive. The start of the 1st Worm War?
How to know if your thumb drive contains RavMon type worm:
1) A small file RavMonLog is found in your directory. It can be of any extension.
2) When your thumb drive is just connected to the computer, the speed seems to have slowed down drastically before the prompt menu appears to open content of the storage device. But a few seconds later, you only see information on program files appearing on the screen, together with the next option Take no action.
3) You are not able to delete the said file. It also means your computer/laptop has been infected.
4) If you ignore it, it may start to corrupt ALL your data by replicating files with funny-looking and unreadable names. For the attack on my thumb drive, these files come in pairs, each is about 3.8 MB consistently. I lost 99% of my data, except for some files saved after the data corruption!
How to kill the worm, for WINDOWS XP. Other platforms are similar. (What I’m offering below is a layman description, easier for all to understand. It’s a gist of all the methods that I happened to have researched. It's like a general method to tackle all types of virus attacks):
1) First, know how to remove your thumb drive properly to avoid any damage and isolate the problem. Go to Windows Task Manager by pressing Shift+Ctrl+Esc keys. Delete the process RavMonE.exe or any name starting with RavMon. Then remove the thumb drive by clicking on the icon on the bottom right-hand corner Safely Remove Hardware. You should be able to remove it safely. DON’T remove the thumb drive without this step as it may get damaged!
2) Reveal all the hidden files and folders. To know how to do it, click here. Click the start button, then click on Search to search for All files and folders. For RavMon, the related files to be searched are: RavMon look-alikes, msvcr71.dll and autorun.inf.
3) As a precautionary measure, click start, go to Run… Type regedit to access the Registry Editor. On the left column, open the path My Computer\......\Microsoft\Windows\CurrentVersion\Run and delete any file similar to the 3 files in Step 2).
4) Click start, go to Run… Type msconfig to access the System Configuration Utility menu. Click Startup tab and unclick any RavMon related files. Click Apply then OK. Reboot your system.
5) Once system is up, repeat Step 1) to see if there’s still any RavMon file in the Windows Task Manager. You should not see any.
6) Now this is the tricky part……..Insert your infected thumb drive into the USB port but NEVER double left-click your mouse to view directory of the thumb drive. It’ll invite the worm to return. Use the Take no action option.
7) Open the infected directory by doing a SINGLE right-click and click Open. Never click on the 1st option Autorun as it will cause RavMon to be reloaded to your computer and you’ll be back to square 1 again! Delete RavMonLog and all related files you can find using the search option. Remember to reveal the hidden files as you have done in Step 2). Your thumb drive should be functional again.
8) As a safety measure, never ever double click when you connect the thumb drive to the computer in future. Always do the single right click on your mouse. This is very true if you always frequent internet cafes or use other people’s laptops.
By the way, below is the reason why we must never allow the external storage device to autorun. But it’s in Chinese, extracted from a webpage in China. Hope you can understand.
打开! 呵呵 !
That’s about it….. I spent one sleepless night to understand how this worm works. The positive part is I’ve done a crash course in virus attack!
Maybe in future, I can share more about anti-virus stuff. Cheers.