Home / malwarePDF  

Win32.MSNWorm.Rachel.A


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.MSNWorm.Rachel.A is also known as N/A.

Explanation :

This virus is an Internet worm that spreads trough MSN Messenger intercepting MSN Messenger messages.

The worm is coming through MSN Messenger in the following format:



If the user accepts the download and executes the file Rachel.exe, the virus takes control and creates some registry key: HKLMSoftwareMSNSPRD, where it keeps the already infected users, and other informations, and:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun\[Rachel] with value %path%Rachel.exe, where %path% is the path of downloaded executable file.

Because of that the virus will run itself at every restart, taking control of the users MSN Messanger. After creating those keys the virus will display the following error message:



and then waits for new MSN messages.

When a user sends a message to the infected user, the virus verifies if it already sent a copy to that user, and if not, it will send itself the same way it came on the current infected machine.

The virus registers every user where it tries to send itself in the following registry key:
HKLMSoftwareMSNSPRDUSRRqstSnt

This virus will not be able to spread correctly because of an error in registering users. Because of this error, this virus has very few chances to spread.

Last update 21 November 2011

 

TOP