Home / malware Worm:Win32/Rebhip.A
First posted on 19 December 2012.
Source: MicrosoftAliases :
Worm:Win32/Rebhip.A is also known as Trojan.Win32.Llac.aaf (Kaspersky), Win32/Spatet.A (ESET), Trj/Spy.YM (Panda).
Explanation :
Installation
Worm:Win32/Rebhip.A copies itself to your computer as the following file:
<system folder>\WinDefence\windefence32.exe
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and W8 it is "C:\Windows\System32".
It creates the following registry entry so that it runs every time Windows starts:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "WinDefence"
With data: "<system folder>\WinDefence\windefence32.exe"
It may also further create the following copies in your computer:
- <system folder>\taskmanager\task.exe
- <system folder>\install\system.exe
- <system folder>\backup\winbackup.exe
- <system folder>\windows\windows.exe
- %windir%\install\update.exe
Worm:Win32/Rebhip.A may also open the Internet Explorer process, "iexplore.exe" and inject code into it.
Spreads via...
Removable drives
Worm:Win32/Rebhip.A spreads by copying itself to all accessible removable drives using one of the following file names:
- task.exe
- system.exe
- winbackup.exe
- windows.exe
- update.exe
The worm then writes an Autorun configuration file named "autorun.inf", pointing to the worm copy. If the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
Payload
Steals sensitive data
Worm:Win32/Rebhip.A may gather various information about your computer, for example, what security software is installed, and which processes or services are currently running. It may also log keystrokes and gather passwords. Worm:Win32/Rebhip.A sends its collected data to remote attackers.
Additional information
Worm:Win32/Rebhip.A makes the following additional registry change:
In subkey: HKCU\Software\SlysBitch
Sets value: "FirstExecution"
With data: "<current date and time>" (for example: "21/12/2009 -- 03:58")
Sets value: "NewIdentification"
With data: "SlysBitch"
It also creates the following files:
- %Temp%\uuu.uuu
- %Temp%\xxx.xxx
Both files contain the current computer time.
Analysis by Andrei Florin Saygo
Last update 19 December 2012