Follow:

You have been re-routed to the Worm:Win32/Rebhip.A write up because Worm%3aWin32%2fRebhip.A has been renamed to Worm:Win32/Rebhip.A
 

Worm:Win32/Rebhip.A


Microsoft security software detects and removes this threat.

This worm can steal your sensitive information.

It spreads via infected removable drives, such as USB flash drives.



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Disable Autorun

This threat tries to use the Windows Autorun function to spread via removable drives, like USB flash drives. You can disable Autorun to prevent worms from spreading:

Scan removable drives

Remember to scan any removable or portable drives. If you have Microsoft security software, see this topic on our software help page:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Worm:Win32/Rebhip.A copies itself to your computer as the following file:

<system folder>\WinDefence\windefence32.exe

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista7, and W8 it is "C:\Windows\System32".

It creates the following registry entry so that it runs every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "WinDefence"
With data: "<system folder>\WinDefence\windefence32.exe"

It may also further create the following copies in your computer:

  • <system folder>\taskmanager\task.exe
  • <system folder>\install\system.exe
  • <system folder>\backup\winbackup.exe
  • <system folder>\windows\windows.exe
  • %windir%\install\update.exe

Worm:Win32/Rebhip.A may also open the Internet Explorer process, "iexplore.exe" and inject code into it.

Spreads via...

Removable drives

Worm:Win32/Rebhip.A spreads by copying itself to all accessible removable drives using one of the following file names:

  • task.exe
  • system.exe
  • winbackup.exe
  • windows.exe
  • update.exe

The worm then writes an Autorun configuration file named "autorun.inf", pointing to the worm copy. If the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.

Payload

Steals sensitive data

Worm:Win32/Rebhip.A may gather various information about your computer, for example, what security software is installed, and which processes or services are currently running. It may also log keystrokes and gather passwords. Worm:Win32/Rebhip.A sends its collected data to remote attackers.

Additional information

Worm:Win32/Rebhip.A makes the following additional registry change:

In subkey: HKCU\Software\SlysBitch
Sets value: "FirstExecution"
With data: "<current date and time>" (for example: "21/12/2009 -- 03:58")
Sets value: "NewIdentification"
With data: "SlysBitch"

It also creates the following files:

  • %Temp%\uuu.uuu
  • %Temp%\xxx.xxx

Both files contain the current computer time.

Analysis by Andrei Florin Saygo


Symptoms

Alerts from your security software may be the only symptom.


Prevention


Alert level: Severe
First detected by definition: 1.71.71.0
Latest detected by definition: 1.185.1597.0 and higher
First detected on: Nov 20, 2009
This entry was first published on: Dec 23, 2009
This entry was updated on: Sep 15, 2014

This threat is also detected as:
  • Trojan.Win32.Llac.aaf (Kaspersky)
  • Win32/Spatet.A (ESET)
  • Trj/Spy.YM (Panda)