Worm:Win32/Rebhip-A is a computer worm that will spread through removable drives like USB Flash Disk, External Hard Drives and Memory Stick. This worm may steal confidential data from infected computer including user name and password. Worm:Win32/Rebhip-A will send collected information to a series of remote computer depending on the variant that infects a system.

Alias: Trojan.Win32.Llac.aaf, Win32/Spatet.A, Trj/Spy.YM, Worm:Win32/Rebhip.A

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Windows Vista

When executed, Worm:Win32/Rebhip-A will drop a copy of itself on this location.
C:\Windows\System32 \WinDefence\windefence32.exe

Then, it also creates registry entry so that it can run automatically when Windows starts.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run=” WinDefence”

When loaded on victims computer, Worm:Win32/Rebhip-A will perform the following actions:

  • Gather operating system information
  • Monitor installed security programs like anti-virus and firewall
  • Logs running processes and services on the computer
  • Record key strokes and save a text log file
  • Steal user name and password

To send all gathered data, Worm:Win32/Rebhip-A will communicate to a predefined server and use various transmission method.

This worm may spread via spam email messages, unsafe file-sharing networks and instant messaging applications. It may also propagate locally by infecting removable drives dropping several malicious executable files. To run the file, Worm:Win32/Rebhip-A also drops an Autorun.Inf configuration file pointing to the copy of the worm. The worm will execute and spread on other removable drives once the compromised devices is accessed.

Leave a Reply

Your email address will not be published. Required fields are marked *