Worm:Win32/Rebhip-A
Worm:Win32/Rebhip-A is a computer worm that will spread through removable drives like USB Flash Disk, External Hard Drives and Memory Stick. This worm may steal confidential data from infected computer including user name and password. Worm:Win32/Rebhip-A will send collected information to a series of remote computer depending on the variant that infects a system.
Alias: Trojan.Win32.Llac.aaf, Win32/Spatet.A, Trj/Spy.YM, Worm:Win32/Rebhip.A
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista
Characteristics
When executed, Worm:Win32/Rebhip-A will drop a copy of itself on this location.
C:\Windows\System32 \WinDefence\windefence32.exe
Then, it also creates registry entry so that it can run automatically when Windows starts.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run=” WinDefence”
When loaded on victims computer, Worm:Win32/Rebhip-A will perform the following actions:
- Gather operating system information
- Monitor installed security programs like anti-virus and firewall
- Logs running processes and services on the computer
- Record key strokes and save a text log file
- Steal user name and password
To send all gathered data, Worm:Win32/Rebhip-A will communicate to a predefined server and use various transmission method.
Distribution
This worm may spread via spam email messages, unsafe file-sharing networks and instant messaging applications. It may also propagate locally by infecting removable drives dropping several malicious executable files. To run the file, Worm:Win32/Rebhip-A also drops an Autorun.Inf configuration file pointing to the copy of the worm. The worm will execute and spread on other removable drives once the compromised devices is accessed.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "WinDefence" HKCU\Software\SlysBitch = "FirstExecution"Associated Files and Folders:
[Drive]:\Autorun.inf [Drive]:\task.exe [Drive]:\system.exe [Drive]:\winbackup.exe [Drive]:\windows.exe [Drive]:\update.exe C:\Windows\System32\WinDefence\windefence32.exe C:\Windows\System32\taskmanager\task.exe C:\Windows\System32\install\system.exe C:\Windows\System32\backup\winbackup.exe C:\Windows\System32\windows\windows.exe C:\Windows\install\update.exe C:\Documents and Settings\\Local Settings\Temp\uuu.uuu C:\Documents and Settings\ \Local Settings\Temp\xxx.xxx
How to Remove Worm:Win32/Rebhip-A
1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. To identify even the most recent variant of Worm:Win32/Rebhip-A, open your antivirus application and update the virus definitions.
3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Select Safe Mode with Networking.
- System will boot Windows loading only necessary drivers and system files.
4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable to delete, better place them in quarantine. Once the scan is complete please proceed with the next step.
Scan with Norton Power Eraser:
Free tool from Symantec called Norton Power Eraser provides deep scanning technology to detect and remote threats like Worm:Win32/Rebhip-A. NPE targets and eliminate threats that regular virus scan fails to identify. Download NPE here.
Important! Because of Norton Power Eraser’s aggressive method, it can select even legitimate files as suspicious. Please use this tool very carefully.