Installation
This threat drops a copy of itself to a folder with a random file and folder name, such as:
It changes the following registry entry so that it runs each time you start your PC:
In subkey: HKLM\Software\Microsoft\Active Setup\Installed Components\{<GUID>}
Sets value: "StubPath"
With data: "<location and name of malware file>.exe restart"
For example:
In subkey: HKLM\Software\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}
Sets value: "StubPath"
With data: “%windir%\system32\install\server.exe restart"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "Policies"
where the value might vary for some samples
With data: "<location and name of malware file>.exe restart"
For example: "%windir%\system32\install\server.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "Policies"
where the value might vary for some samples
With data: "<location and name of malware file>.exe restart"
For example: "%windir%\system32\install\server.exe"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<Random>"
Where the value can be HKLM or a dropped file name
With data: "<location and name of malware file>.exe restart"
For example: "%windir%\system32\install\server.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<Random>"
where the value can be HKCU, or a dropped file name
With data: "<location and name of malware file>.exe restart"
For example: "%windir%\system32\install\server.exe"
This threat might also open the Internet Explorer or Windows Explorer process (iexplore.exe or explorer.exe) and inject code in it. The injected code is a .dll component payload that is extracted from the copy of the dropped malware.
It also creates the following mutex. This could be an infection marker to prevent more than one copy of the threat running on your PC.:
- <USER NAME><RANDOM DIGIT> for example: Administrator2
- _x_X_UPDATE_X_x_
- _x_X_PASSWORDLIST_X_x_
- _x_X_BLOCKMOUSE_X_x_
- ***<mutex name>***
- ***<mutex name>***_PERSIST ;
- ***<mutex name>***_SAIR
Where the "<mutext name>" can be a random string of letters and number
Spreads via...
Removable drives
This worm spreads by copying itself with one of the following file names to all accessible removable drives:
- system.exe
- task.exe
- update.exe
- winbackup.exe
- windows.exe
It also creates an autorun.inf file in the root folder of the removable drive. The file has instructions to launch the malware automatically when the removable drive is connected to a PC with the Autorun feature turned on.
This is a common way for malware to spread. However, autorun.inf files on their own are not necessarily a sign of infection, they are also used by legitimate programs.
Payload
Steals sensitive data
Worm:Win32/Rebhip.A can gather various sensitive information about your PC such as:
- System information including:
- Computer name
- CPU and memory information
- IP address
- Network adapter
- Operating system
- List of running processes
- Installed antivirus or security software
- RAS user accounts
- Mozilla Firefox user names and password
- Google Chrome user names and password
- MSN settings and contact list
- FTP account
It stores some of the data it collects in the following files:
Files
|
Notes |
%TEMP%\xx--xx--xx.txt |
Contains logged data |
%APPDATA%\<user name>.dat |
Contains logged data, filename |
%APPDATA%\<random>.dat |
Contains logged data For example, logs.dat
|
%TEMP%\<user name><digit>.txt |
For example: administrator2.txt |
%TEMP%\UuU.uUu |
Contains current computer time in HH:MM:SS format |
%TEMP%\XxX.xXx |
Contains current computer time in HH:MM:SS format |
It sends the logged and collected information to a remote server. Some of the command and control (C&C) servers we have seen it try to connect to in the wild are:
- extremesc.no-ip.org
- hopto.dynu.com
- mateusmacedo.no-ip.org
- ralacapeta.no-ip.biz
- zerocool6.no-ip.biz
Changes internet security settings
The worm changes your internet security settings, possibly so it can access websites that otherwise would be blocked from loading.
It does this by changing the following registry entry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Sets value: "ProxyBypass"
With data: "1"
Additional information
The worm changes the registry to keep track of when it was installed on your PC. It might do this so it knows when it downloads an updated version of itself. The changes are:
In subkey: HKCU\Software\SlysBitch
where recent Rebhip samples use random keys
Sets value: "FirstExecution"
With data: "<current date and time>" for example: "15/09/2014 -- 15:03"
Sets value: "NewIdentification"
With data: "SlysBitch"
where recent Rebhip samples use random registry data
Related information
Keeping Kerrigan from Infection - Microsoft Malware Protection Center blog, July 2010
A Happy Thanksgiving from Rebhip? - Microsoft Malware Protection Center blog, November 2010
Social Engineering Advice - Microsoft Security Intelligence Report featured article
Analysis by Rex Plantado