Home / malwarePDF  

Worm:Win32/Rebhip.A


First posted on 19 December 2012.
Source: Microsoft

Aliases :

Worm:Win32/Rebhip.A is also known as Trojan.Win32.Llac.aaf (Kaspersky), Win32/Spatet.A (ESET), Trj/Spy.YM (Panda).

Explanation :



Installation

Worm:Win32/Rebhip.A copies itself to your computer as the following file:

<system folder>\WinDefence\windefence32.exe

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and W8 it is "C:\Windows\System32".

It creates the following registry entry so that it runs every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "WinDefence"
With data: "<system folder>\WinDefence\windefence32.exe"

It may also further create the following copies in your computer:

  • <system folder>\taskmanager\task.exe
  • <system folder>\install\system.exe
  • <system folder>\backup\winbackup.exe
  • <system folder>\windows\windows.exe
  • %windir%\install\update.exe


Worm:Win32/Rebhip.A may also open the Internet Explorer process, "iexplore.exe" and inject code into it.

Spreads via...

Removable drives

Worm:Win32/Rebhip.A spreads by copying itself to all accessible removable drives using one of the following file names:

  • task.exe
  • system.exe
  • winbackup.exe
  • windows.exe
  • update.exe


The worm then writes an Autorun configuration file named "autorun.inf", pointing to the worm copy. If the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.



Payload

Steals sensitive data

Worm:Win32/Rebhip.A may gather various information about your computer, for example, what security software is installed, and which processes or services are currently running. It may also log keystrokes and gather passwords. Worm:Win32/Rebhip.A sends its collected data to remote attackers.

Additional information

Worm:Win32/Rebhip.A makes the following additional registry change:

In subkey: HKCU\Software\SlysBitch
Sets value: "FirstExecution"
With data: "<current date and time>" (for example: "21/12/2009 -- 03:58")
Sets value: "NewIdentification"
With data: "SlysBitch"

It also creates the following files:

  • %Temp%\uuu.uuu
  • %Temp%\xxx.xxx


Both files contain the current computer time.



Analysis by Andrei Florin Saygo

Last update 19 December 2012

 

TOP

Malware :

Family: