IT: Latest findings of the despicable RavMon.exe virus and its mutant brothers (by myself)

IT – Information Techonology

Hi, before you read any further, please note I’m no computer virus expert, in fact I’m a ill-destined victim of this “worm”, as rightfully called according to its characteristics. Please click here to know difference between virus, worm, trojan and much more.





Worms are always prey for others, but now they are preying on others......




Before you decide to skip this “boring” blog entry, read the few lines below first, you won’t regret it... ...
1) Do you want your 512MB or 1GB thumb drive to be damaged all of a sudden, with no files accessible to you?
2) Do you visit Internet cafes often, equipped with an external storage device? If yes, the following content will rescue you from seeing your device go awry. It happened to me in Jakarta. It can happen to you too.

Read on…….. You’ll surely learn something to your advantage.

Last night till this morning was an exhausting time for me as I spent several hours surfing the Internet to look for solutions to eradicate the worm RavMon.exe. Its presence was alerted by my brother, who’s much more knowledgeable in IT staff. But as he was sick and had to sleep early, it was left to me, a computer virus layman, to tackle the problem alone.

A bit of history here... ... Some search engines on the Internet revealed that it’s a relatively new worm which started to wreak havoc only this year. Surprisingly it subsequently reached worldwide fame when a September 2006 shipment of Apple Video iPods was attacked by it. See here for more. Not too long ago really.

RavMon.exe, together with its mutants with varying suffixes, operates in Windows environment and has actually been linked to an authentic anti-virus software.

As a result, I suppose it has somehow escaped attention from most experts. Currently, it has been termed as a not-so-malicious worm by leading anti-virus firms. However most agree that its effects are still not fully known. I suspect future variants will be more powerful.

The good thing is it can be deleted easily from your system if you follow a set of straight-forward instructions. But to my thumb drive which has accompanied me for about 2 years, it came a bit late... ...



The worm in action...... Never realised it can kill till now.... It may multiply very fast and eventually replace the files in your thumb drive. The start of the 1st Worm War?




How to know if your thumb drive contains RavMon type worm:
1) A small file RavMonLog is found in your directory. It can be of any extension.
2) When your thumb drive is just connected to the computer, the speed seems to have slowed down drastically before the prompt menu appears to open content of the storage device. But a few seconds later, you only see information on program files appearing on the screen, together with the next option Take no action.
3) You are not able to delete the said file. It also means your computer/laptop has been infected.
4) If you ignore it, it may start to corrupt ALL your data by replicating files with funny-looking and unreadable names. For the attack on my thumb drive, these files come in pairs, each is about 3.8 MB consistently. I lost 99% of my data, except for some files saved after the data corruption!

How to kill the worm, for WINDOWS XP. Other platforms are similar. (What I’m offering below is a layman description, easier for all to understand. It’s a gist of all the methods that I happened to have researched. It's like a general method to tackle all types of virus attacks):

1) First, know how to remove your thumb drive properly to avoid any damage and isolate the problem. Go to Windows Task Manager by pressing Shift+Ctrl+Esc keys. Delete the process RavMonE.exe or any name starting with RavMon. Then remove the thumb drive by clicking on the icon on the bottom right-hand corner Safely Remove Hardware. You should be able to remove it safely. DON’T remove the thumb drive without this step as it may get damaged!

2) Reveal all the hidden files and folders. To know how to do it, click here. Click the start button, then click on Search to search for All files and folders. For RavMon, the related files to be searched are: RavMon look-alikes, msvcr71.dll and autorun.inf.

3) As a precautionary measure, click start, go to Run… Type regedit to access the Registry Editor. On the left column, open the path My Computer\......\Microsoft\Windows\CurrentVersion\Run and delete any file similar to the 3 files in Step 2).

4) Click start, go to Run… Type msconfig to access the System Configuration Utility menu. Click Startup tab and unclick any RavMon related files. Click Apply then OK. Reboot your system.

5) Once system is up, repeat Step 1) to see if there’s still any RavMon file in the Windows Task Manager. You should not see any.

6) Now this is the tricky part……..Insert your infected thumb drive into the USB port but NEVER double left-click your mouse to view directory of the thumb drive. It’ll invite the worm to return. Use the Take no action option.

7) Open the infected directory by doing a SINGLE right-click and click Open. Never click on the 1st option Autorun as it will cause RavMon to be reloaded to your computer and you’ll be back to square 1 again! Delete RavMonLog and all related files you can find using the search option. Remember to reveal the hidden files as you have done in Step 2). Your thumb drive should be functional again.

8) As a safety measure, never ever double click when you connect the thumb drive to the computer in future. Always do the single right click on your mouse. This is very true if you always frequent internet cafes or use other people’s laptops.

By the way, below is the reason why we must never allow the external storage device to autorun. But it’s in Chinese, extracted from a webpage in China. Hope you can understand.

其实ravmon不是病毒,ravmon是瑞星的意思,它也是瑞星的一个自动
监控程序,大家请注意这里的"自动"一词,英文单词是auto.

事情的起因应该从你周围使用瑞星杀毒软件的同学开始,由于他在使用
他的电脑中的瑞星杀毒软件的时候选择了自动监控程序,所以他在使用
他的移动硬盘的时候,瑞星的ravmon(自动监控程序)进入他的移动硬盘
并建立程序,同时在C盘WINDOWS下建立程序,并且运行.

事情到现在好象一切都很正常,但接下来的事情是,这个程序已经在他的
移动硬盘里了,所以他接下来将他的移动硬盘插入别人的电脑的时候,他的移动硬盘已
经不是普通硬盘了,而是一个带有自动监控程序的移动硬盘,这时你不能
采用双击打开移动硬盘的方法打开它了,因为它的默认第一个选项
(即用鼠标右键打开移动硬盘的第一项)已经不是"打开"了,而已经是
"auto"(就是我上文提到的自动的意思)了,即自动监控,所以你这个时
候双击会暂时打不开,因为它在自动创建并运行它的自动监控程序,也
就是在你的电脑里建立瑞星的监控程序,注意!!这个程序是可以脱离瑞
星的,即使你的电脑里没有瑞星杀毒软件.所以当你想删除或者格式化的
时候都别拒绝,因为ravmon已经在你的电脑里运行了,所以你也不可以删
除硬件(即想拔出USB).注意千万不可以直接拔出USB,因为你的这种不
理智行为,很可能造成移动硬盘和电脑的损坏.这时的电脑中已经有
ravmon程序了,所以别的移动硬盘插入这台机器也会被自动监控
(也就是大家所谓的感染了,中病毒了).

其实解决问题的办法很简单,先进到电脑的任务管理器中结束
ravmon.exe的进程,再到C盘WINDOWS中删除所有ravmon文件,然后
再到移动硬盘中删除ravmon文件,这时你会发现你的硬盘也可以在安
全下拔出了,电脑和移动硬盘里也没有所谓的"病毒"了
,然后重起机就可以了.请注意,以后再插入移动硬盘时请先用鼠标右键
打开! 呵呵 !

如过你还是留恋以前的双击打开,那你只好将移动硬盘格式化了~

That’s about it….. I spent one sleepless night to understand how this worm works. The positive part is I’ve done a crash course in virus attack!

Maybe in future, I can share more about anti-virus stuff. Cheers.