Home / malwarePDF  

Win32.Rexli.A@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Rexli.A@mm is also known as W32/Rexli-A.

Explanation :

This is an Internet Worm written in Visual Basic 6. It spreads using the MS Outlook and mIRC.

The worm comes as an e-mail attachment in the following form:

Subject: Cool linki
Body: Przesylam ci znaleziona baze danych linków. Jest tam duzo stron, których na pewno nie znasz :)

Attachment: linki.exe
The message text is written in Polish (where probably the author resides).

When executed, the virus will post a false error message window containing the text:
"Error while loading " where is the executable name (usually, the file is linki.exe).

At the first run, the worm initializes some registry keys in
HKEY_CURRENT_USERSoftwareVB and HKEY_CURRENT_USERSoftwareVBA SettingsRax where it counts how many times it is executed on the system.

The virus copies itself as rexec.exe and linki.exe and, in order to be executed at every restart, it modifies in win.ini in the [windows] section, the line Load=%systemdir%REXEC.EXE, where %systemdir% is the system directory.

If the virus finds any version of mIRC installed, it will rewrite the file script.ini in order to be sent to all victim's chat partners. This script was probably modified by the author from the similar code created by VBS.LoveLetter to be spread using mIRC.

Then, it scans all drives and it overwrites the .vbs files with a script that will run the file rexec.exe from the system directory. After this scanning, it will send infected e-mails to all contacts in the Outlook Address Book, using the same format described above.

Last update 21 November 2011

 

TOP