copies itself to your computer as the following file:
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and W8 it is "C:\Windows\System32".
It creates the following registry entry so that it runs every time Windows starts:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "WinDefence"
With data: "<system folder>\WinDefence\windefence32.exe"
It may also further create the following copies in your computer:
may also open the Internet Explorer process, "iexplore.exe" and inject code into it.
spreads by copying itself to all accessible removable drives using one of the following file names:
The worm then writes an Autorun configuration file named "autorun.inf", pointing to the worm copy. If the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
Steals sensitive data
may gather various information about your computer, for example, what security software is installed, and which processes or services are currently running. It may also log keystrokes and gather passwords. Worm:Win32/Rebhip.A sends its collected data to remote attackers.
makes the following additional registry change:
In subkey: HKCU\Software\SlysBitch
Sets value: "FirstExecution"
With data: "<current date and time>" (for example: "21/12/2009 -- 03:58")
Sets value: "NewIdentification"
With data: "SlysBitch"
It also creates the following files:
Both files contain the current computer time.
Analysis by Andrei Florin Saygo