IT: Latest findings of the despicable RavMon.exe virus and its mutant brothers (by myself)

IT – Information Techonology

Hi, before you read any further, please note I’m no computer virus expert, in fact I’m a ill-destined victim of this “worm”, as rightfully called according to its characteristics. Please click here to know difference between virus, worm, trojan and much more.





Worms are always prey for others, but now they are preying on others......




Before you decide to skip this “boring” blog entry, read the few lines below first, you won’t regret it... ...
1) Do you want your 512MB or 1GB thumb drive to be damaged all of a sudden, with no files accessible to you?
2) Do you visit Internet cafes often, equipped with an external storage device? If yes, the following content will rescue you from seeing your device go awry. It happened to me in Jakarta. It can happen to you too.

Read on…….. You’ll surely learn something to your advantage.

Last night till this morning was an exhausting time for me as I spent several hours surfing the Internet to look for solutions to eradicate the worm RavMon.exe. Its presence was alerted by my brother, who’s much more knowledgeable in IT staff. But as he was sick and had to sleep early, it was left to me, a computer virus layman, to tackle the problem alone.

A bit of history here... ... Some search engines on the Internet revealed that it’s a relatively new worm which started to wreak havoc only this year. Surprisingly it subsequently reached worldwide fame when a September 2006 shipment of Apple Video iPods was attacked by it. See here for more. Not too long ago really.

RavMon.exe, together with its mutants with varying suffixes, operates in Windows environment and has actually been linked to an authentic anti-virus software.

As a result, I suppose it has somehow escaped attention from most experts. Currently, it has been termed as a not-so-malicious worm by leading anti-virus firms. However most agree that its effects are still not fully known. I suspect future variants will be more powerful.

The good thing is it can be deleted easily from your system if you follow a set of straight-forward instructions. But to my thumb drive which has accompanied me for about 2 years, it came a bit late... ...



The worm in action...... Never realised it can kill till now.... It may multiply very fast and eventually replace the files in your thumb drive. The start of the 1st Worm War?




How to know if your thumb drive contains RavMon type worm:
1) A small file RavMonLog is found in your directory. It can be of any extension.
2) When your thumb drive is just connected to the computer, the speed seems to have slowed down drastically before the prompt menu appears to open content of the storage device. But a few seconds later, you only see information on program files appearing on the screen, together with the next option Take no action.
3) You are not able to delete the said file. It also means your computer/laptop has been infected.
4) If you ignore it, it may start to corrupt ALL your data by replicating files with funny-looking and unreadable names. For the attack on my thumb drive, these files come in pairs, each is about 3.8 MB consistently. I lost 99% of my data, except for some files saved after the data corruption!

How to kill the worm, for WINDOWS XP. Other platforms are similar. (What I’m offering below is a layman description, easier for all to understand. It’s a gist of all the methods that I happened to have researched. It's like a general method to tackle all types of virus attacks):

1) First, know how to remove your thumb drive properly to avoid any damage and isolate the problem. Go to Windows Task Manager by pressing Shift+Ctrl+Esc keys. Delete the process RavMonE.exe or any name starting with RavMon. Then remove the thumb drive by clicking on the icon on the bottom right-hand corner Safely Remove Hardware. You should be able to remove it safely. DON’T remove the thumb drive without this step as it may get damaged!

2) Reveal all the hidden files and folders. To know how to do it, click here. Click the start button, then click on Search to search for All files and folders. For RavMon, the related files to be searched are: RavMon look-alikes, msvcr71.dll and autorun.inf.

3) As a precautionary measure, click start, go to Run… Type regedit to access the Registry Editor. On the left column, open the path My Computer\......\Microsoft\Windows\CurrentVersion\Run and delete any file similar to the 3 files in Step 2).

4) Click start, go to Run… Type msconfig to access the System Configuration Utility menu. Click Startup tab and unclick any RavMon related files. Click Apply then OK. Reboot your system.

5) Once system is up, repeat Step 1) to see if there’s still any RavMon file in the Windows Task Manager. You should not see any.

6) Now this is the tricky part……..Insert your infected thumb drive into the USB port but NEVER double left-click your mouse to view directory of the thumb drive. It’ll invite the worm to return. Use the Take no action option.

7) Open the infected directory by doing a SINGLE right-click and click Open. Never click on the 1st option Autorun as it will cause RavMon to be reloaded to your computer and you’ll be back to square 1 again! Delete RavMonLog and all related files you can find using the search option. Remember to reveal the hidden files as you have done in Step 2). Your thumb drive should be functional again.

8) As a safety measure, never ever double click when you connect the thumb drive to the computer in future. Always do the single right click on your mouse. This is very true if you always frequent internet cafes or use other people’s laptops.

By the way, below is the reason why we must never allow the external storage device to autorun. But it’s in Chinese, extracted from a webpage in China. Hope you can understand.

其实ravmon不是病毒,ravmon是瑞星的意思,它也是瑞星的一个自动
监控程序,大家请注意这里的"自动"一词,英文单词是auto.

事情的起因应该从你周围使用瑞星杀毒软件的同学开始,由于他在使用
他的电脑中的瑞星杀毒软件的时候选择了自动监控程序,所以他在使用
他的移动硬盘的时候,瑞星的ravmon(自动监控程序)进入他的移动硬盘
并建立程序,同时在C盘WINDOWS下建立程序,并且运行.

事情到现在好象一切都很正常,但接下来的事情是,这个程序已经在他的
移动硬盘里了,所以他接下来将他的移动硬盘插入别人的电脑的时候,他的移动硬盘已
经不是普通硬盘了,而是一个带有自动监控程序的移动硬盘,这时你不能
采用双击打开移动硬盘的方法打开它了,因为它的默认第一个选项
(即用鼠标右键打开移动硬盘的第一项)已经不是"打开"了,而已经是
"auto"(就是我上文提到的自动的意思)了,即自动监控,所以你这个时
候双击会暂时打不开,因为它在自动创建并运行它的自动监控程序,也
就是在你的电脑里建立瑞星的监控程序,注意!!这个程序是可以脱离瑞
星的,即使你的电脑里没有瑞星杀毒软件.所以当你想删除或者格式化的
时候都别拒绝,因为ravmon已经在你的电脑里运行了,所以你也不可以删
除硬件(即想拔出USB).注意千万不可以直接拔出USB,因为你的这种不
理智行为,很可能造成移动硬盘和电脑的损坏.这时的电脑中已经有
ravmon程序了,所以别的移动硬盘插入这台机器也会被自动监控
(也就是大家所谓的感染了,中病毒了).

其实解决问题的办法很简单,先进到电脑的任务管理器中结束
ravmon.exe的进程,再到C盘WINDOWS中删除所有ravmon文件,然后
再到移动硬盘中删除ravmon文件,这时你会发现你的硬盘也可以在安
全下拔出了,电脑和移动硬盘里也没有所谓的"病毒"了
,然后重起机就可以了.请注意,以后再插入移动硬盘时请先用鼠标右键
打开! 呵呵 !

如过你还是留恋以前的双击打开,那你只好将移动硬盘格式化了~

That’s about it….. I spent one sleepless night to understand how this worm works. The positive part is I’ve done a crash course in virus attack!

Maybe in future, I can share more about anti-virus stuff. Cheers.

Politics: “I’m truly sorry….” says SBY

Indonesian President Susilo Bambang Yudhoyono, a.k.a. SBY, has apologized to neighbouring countries in South East Asia for causing air pollution and unnecessary stress due to heightening levels of haze originating from burning spots in the largest Muslim-populated country of the world.





"I'm sorry." Straight from the heart, but the head says another thing.....







SBY’s action is apparently a gesture to seek forgiveness, as practiced by Muslims before the start of the Islamic New Year, where most Indonesians get to enjoy a 1-week break from work.

(A bit of digression here: Some friends in Jakarta have gone to the neighbouring city of Bandung to do shopping or to the highlands at Puncak for chalet-type holidays. Both places are within 3 hours’ journey from the capital, provided there’s no “macet” ie.traffic jam. For me, it’s back to Singapore to take care of some businesses.)

This official apology has been well-received by Singapore and Malaysian political leaders, although I don’t understand why our MM Lee KY wanted to praise him in the light that no concrete action has been taken by the Indonesian government thus far, just plain talk it seems.

Remember the Tsunami disasters in Banda Aceh, Sumatera, not too long ago? Hasn’t it been agreed that the Indonesian government shall put in place precautionary or early-warning measures in various parts of tsunami-proned regions so as to avoid a similarly devastating disaster? Have they done anything concrete so far? From what I know, they’ve been giving reasons or excuses as to why they have problems implementing the measures. Or is it a way to press for more funds from humanitarian groups or rich countries?! I do really fear for the next tsunami that will hit Indonesian shores. Touchwood!

This type of double-talk game is not uncommon in this part of the world. Indonesia is somewhat similar to China. The central government does the legislation but it is still up to the local regional leaders to fully implement it.

Who are the people burning the jungles? I don’t think it’s just simple, common folks who want to clear land for a living. Business conglomerates might be at work here, some of which do wield sizeable political influence. The powers of darkness which create the haze will still be there even after the burning spree ends with the arrival of the monsoons. This is the root of the problem. Hopefully our well-revered political leader can see through the haze.

I predict SBY will apologise for another 2 years before his presidential term ends in 2009.

Mark my word.

评论：棉兰商人 - 印尼华裔的污点？

笔者自从到访印尼后，经常听闻有关棉兰人(from the 4th biggest city of Indonesia, Medan, Sumatera, with a population of 2 million) 的经商手法，以及他们的不良口碑，确实受到其他华裔的排挤。


[A map showing the actual location of Medan city (the dot in the yellow region, with red lines connecting to it), a place where Chinese dominance is so pervasive that even local Indonesians of non-Chinese origin can speak in Hokkien, a Chinese dialect! By the way, it takes about 80mins to fly from Singapore to Medan, courtesy of SilkAir.]

棉兰商人在印尼首都雅加达的势力范围主要在北部的Pluit 和 Puri Indah。棉兰房地产大亨曾经大量在北部兴建豪华住宅区，结果吸引了许多棉兰人搬迁至此地。据说因为都是“同乡”，所以房子都打大折。

他们彼此通常以福建话沟通，但口音与新加坡的不同，较接近槟城(Penang, Malaysia) 的发音。

棉兰商人给于其他人的印象诸如此类：1）商业大骗子，利用大笔资金从事敲诈活动，小买卖则不感兴趣；2）勤奋好学，绝顶聪明，但无理又无情；3）活跃于黑社会和非法活动，喜爱风险；等等。

以下是个真实事件，发生于几年前，以此借鉴：
A君是个钱币和货品兑换商人，为人正直，讲求信誉，深受顾客喜爱。其中的顾客B君，棉兰人，算是熟客，过去一年经常跟他进行外汇交易，合作关系一向融洽。

有一回，B君突然向A君要求兑换八万美元现金，却说暂时无现金，要求A君随他一起去银行提取同等市价的印尼盾，转入A君的银行户头。一切看来都正常，B君在银行内排队，A君在外观望。可是没料到，A君几天后查阅自己户头时，发现B君的钱根本没进帐，霎时恍然大悟，自己被欺骗了！

令人惊叹的是那位棉兰商人竟然为了这场骗局，不惜筹备一年时间，来争取A君对他的信任！

当然，我们也不可因这种诈骗行为而忽略了所有正值又勤奋的棉兰商人。可是，笔者提醒各位在生意交易时，无论在印尼还是新加坡，同棉兰商人还是别人，钱还没到手时，不要轻言相信他人。

最后，棉兰商人的信誉问题，看起来不是这几年可好转的。但毕竟他们也同大部分的印尼华人一样，成功地渡过了金融危机。大家就暂且一视同仁吧！我们的中华文化岂不是以和为贵吗？

Insight: Difference between SIA & Garuda Airlines……..

Hi, met an interesting Indonesian friend a few days ago and he gave some fascinating remarks on these 2 airlines.

He is actually emigrating to Australia for good, to look for greener pastures together with his wife. So it’s not only we Singaporeans who want to leave their own country. It’s a phenomenon which seems to affect Chinese in other South East Asian countries as well.

(By the way, a substantial amount of Indonesian Chinese have become Singapore Permanent Residents or PRs. This PR status is very easy to obtain due to the Foreign Talent Policy of the Singapore Government, definitely much easier and faster than getting a Green Card in USA! A recent newspaper report on latest wealth figures of Singaporeans mentioned that the drastic jump of millionaires in Singapore was attributed due to the influx of Indonesians.)

Normally the first choice of airlines for Indonesians to visit Down Under is SQ or SIA. These people don’t mind making a stopover in the opposite direction at Changi Airport in Singapore. If no SQ flight is available, then they would request for Qantas, if still not available then it’s BA or British Airways. No Indonesians in their right frame of mind would want to be onboard Garuda on international flights, unless if they are civil servants?!

Before the Surharto regime toppled in 1997, Garuda was the pride of Indonesia and it was one of the first airlines in the world to own some newest Boeing planes then. But a reliable source pointed to me that the post-Suharto era may have resulted in a lower level of attention regarding maintenance of Garuda planes, possibly due to some subtle changes in government emphasis on the aviation industry. But the planes may still be considered safe as like most other international airlines except for a few isolated disasters in the past decade as far as I know. (SIA also has had a major disaster in which hundreds died in Taiwan.)


... ... It's a bird, it's a plane, it's Garuda the Superbird!

One Example:
The landing pattern (pardon my terminology as I’m no expert in aviation knowledge) of a Garuda plane seems to be abrupt and shaky. It may also wobble on either side. This can be rather dangerous or fatal as the plane may lose balance on one side and skids out of the runway. Whereas for SQ planes, the touchdown is normally steady and controlled, with no feel of erratic vibration. People who travel frequently like me might be able to appreciate the difference.

However in-flight service of both airlines seems to be of the same excellent standard - “Bules” (Indonesian word for Caucasians or any other person with blue eyes, blonde hair, sharp nose and the like) will always be their 1st class passengers regardless of their seat classification.






... ...Fatal Attraction - Sorry, for "Bules" only


To conclude, preference for airlines is subjective and my sharing on the above shall in no way affect your objectivity in selecting Garuda or any other airline for your smooth journey from point A to point B.

Cheers.

Insight: A tale of 2 cities

This is my umpteenth trip to Jakarta, Indonesia. Having seen and experienced much of the intricate and shocking realities of this city of 12 million inhabitants (excluding another 5 million who travel to Jakarta daily from the surrounding satellite towns), it’s high time I wrote something to my fellow Singaporeans…

Did you know that in Jakarta……….

….using a hand phone to call other hand phones can cost you about 30cents SGD per minute? The rates will be higher if you call to mobiles of a different operator and if you call to another city. We’re talking about big time operators that have already made S$ billions in the telecommunications industry in Indonesia. Imagine Singtel charging exorbitant rates but the Government doesn’t bother to say something?

On the other hand, there are some small operators who charge at unbelievably low rates, such as Fren, at less than 25cents SGD per hour (not per minute!), including calls made to different cities in Indonesia!

….Ministers can amass huge amounts of wealth and normally immuned to public outcry? (This sounds a bit familiar leh…) Take for example the recent mud disaster in Sidoarjo, located near Surabaya, the 2nd biggest city in Indonesia with a population of 8 million. I was in the small town before. (Famous for banana chips, and big salted fish, yaks or yummy?!)


The mud disaster in Porong, Sidoarjo. Fuming hot, oozing out from the ground. Scientists suspect it might be cancer-causing.

It was a major environmental disaster created by a mining conglomerate group linked to the family of the current Minister of Economy Mr Aburizal Bakrie. So far he has remained silent despite the wide publicity by the press. The irony is that a foreign environmental group, GreenPeace, took the initiative by dumping mud they collected at the disaster zone onto the gate of the minister’s office for his “bo-chap” attitude. The Indonesian President subsequently ordered the conglomerate to pay close to S$170 million for the recovery works.





Aburizal Bakrie: Filthy rich, it's ok but you've got no right to allow the land to be filthy dirty.......





….the normal office employee is paid about S$500-S$800 but the typical meals in shopping centres cost about S$2-S$5? KFC, Mac and BurgerKing all have prices comparable to that of Singapore. So who’s the lucky guy? We Singaporeans better don’t complain too much about rising living costs.

….going to the barber’s is as cheap as getting a meal? Normal salons charge about Rp12.000-20.000, about S$2-3.50, not to mention the roadside shops which charge much lesser. In Singapore the standard rate for us men is S$10.

….a taxi ride everyday will cost you more than owning a car?

….the most famous bird is called Blue Bird? Silver Bird is also well-known though it is black in colour. Actually these “Birds” are established taxi companies lah.

….pirated DVDs (Hollywood, Hongkie, X-rated, Classics, etc.) are sold openly at less than S$1, some even in 7-in-1 or 9-in-1 format. Computer software are also cheap. And no “teh-gu” (Police) to catch the hardworking entrepreneurs (or should I call them as such?), especially those selling the X-rated stuff.


(These “X-Men” seem so desperate for business, always grabbing attention from people who pass them by. Maybe their bosses implement daily quota system?!)

In all, their professionalism is worthy of emulation. Some “reputable” stalls have DVD players and computer terminals for buyers to test quality of the DVDs or software before purchase. Where got such high service standards for Singapore’s Pirate Industry?

There is more that I can write about, especially on the PSI of Jakarta and many others but have to stop here as this article has to be short and sweet. Cheers.

Update.........

Hi All,

Currently I'm in Jakarta, on business trip. Will be arranging for interview sessions with top entrepreneurs/business people and interesting personalities here. The aim is to provide international readers, especially from Singapore, an avenue to understand Indonesia better in terms of business, culture, people and more.

Hopefully the 1st interview will be out soon. Stay tuned.

Cheers!