Microsoft security software detects and removes this threat.

This worm can steal your sensitive information.

It spreads through infected removable drives, such as USB flash drives.

Find out ways that malware can get on your PC.  

What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Disable Autorun

This threat tries to use the Windows Autorun function to spread via removable drives, like USB flash drives. You can disable Autorun to prevent worms from spreading:

Scan removable drives

Remember to scan any removable or portable drives. If you have Microsoft security software, see this topic on our software help page:

Enable MAPS 

Enable the Microsoft Active Protection Service (MAPS) on your system to protect your enterprise software security infrastructure in the cloud.

  1. Check if MAPS is enabled in your Microsoft security product:

    1. Select Settings and then select MAPS.

    2. Select Advanced membership, then click Save changes. With the MAPS option enabled, your Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service

  2. Join the Microsoft Active Protection Service Community.
Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior


Worm:Win32/Rebhip copies itself to a variable subdirectory in the <system folder> directory, and modifies the registry so its file is executed at each Windows start.

Commonly used subdirectories include the following:

  • adobe
  • booter
  • chrome
  • cmd
  • conf.exe
  • ctfmon
  • dllcache
  • dllinstall
  • dlll32.exe
  • driver
  • drivers
  • dxvi
  • dynamicpkz
  • explorer
  • gameshadow
  • google
  • hosts
  • idss.dll
  • ins
  • install
  • instjs
  • java
  • messenger
  • micro-soft
  • microsoftupdater
  • msn
  • perfmonitor
  • root
  • rundll32
  • sms
  • spynet
  • spynet54
  • svchost
  • svhost
  • symantec
  • sys
  • sys32
  • sysetm
  • system
  • system32
  • tek9
  • update
  • update_flash
  • v1rus
  • win
  • win32
  • winboot
  • winbooterr
  • windiiir
  • windir
  • windll
  • windows
  • windowsdefender
  • windowsupdate
  • windr
  • windupdt
  • winlog
  • winlogon
  • winreg
  • winupdate

And commonly used file names include the following:

  • 2.exe
  • adinss.exe
  • atp.exe
  • chrome.exe
  • comddl1.exe
  • conf.exe
  • crisys2.exe
  • crossfire.wallhack.exe
  • cs.exe
  • ctfmon.exe
  • ddl.exe
  • diagnose.exe
  • dll.exe
  • dll32.exe
  • dss.exe
  • dynamicpkz.exe
  • epicbot.exe
  • esplorer.exe
  • explore.exe
  • explorer.exe
  • flash.exe
  • gamer.exe
  • hosts.exe
  • iexplorer.exe
  • iiexplorer.exe
  • ijavaupdate.exe
  • install.exe
  • intall.exe
  • ipdate.exe
  • javaru.exe
  • javascheds.exe
  • jvclient.exe
  • kaspersky.exe
  • kb321009.exe
  • keygen.exe
  • khaled.exe
  • lilly.exe
  • mensssenger.exe
  • microsoftupdate.exe
  • microupdate.exe
  • msconcat.exe
  • msn.exe
  • msnd.exe
  • msnmsgr.exe
  • netsniper.exe
  • perfmon.exe
  • photo.exe
  • piccc.exe
  • player.exe
  • registry.exe
  • rundll32.exe
  • runescapekeylogger.exe
  • scvhost.exe
  • server.exe
  • servertest.exe
  • serves.exe
  • service.exe
  • servis.exe
  • setting.exe
  • setup.exe
  • skype.exe
  • smss.exe
  • soft.exe
  • spoolsvs.exe
  • svchost.exe
  • svchost22.exe
  • svchosts.exe
  • svchust.exe
  • svhost.exe
  • svhost32update.exe
  • sysstem32.exe
  • system.exe
  • system.exe
  • system32.exe
  • systema.exe
  • systemconfig.exe
  • systemresh.exe
  • testing.exe
  • troublekeylogger.exe
  • update.exe
  • updater.exe
  • win.exe
  • win32.exe
  • win_xp.exe
  • winampagent.exe
  • wincy.exe
  • windll.exe
  • windows.exe
  • windowsdefender.exe
  • windowsup.exe
  • windowsupdate.exe
  • winexplorer.exe
  • winlog-updates.exe
  • winlogin.exe
  • winlogon.exe
  • winnload.exe
  • winserver.exe
  • winupdate.exe
  • wlcomm.exe

It should be noted that the worm is configurable, and could have any name.

It changes the following registry entries so that it runs each time you start your PC:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: <value>, where <value> is variable 
With data: <worm location>

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: <value>, where <value> is variable
With data: <worm location>

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: <value>, where <value> is variable
With data: <worm location>

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: <value>, where <value> is variable
With data: <worm location>

Commonly, Worm:Win32/Rebhip opens a number of processes, including explorer.exe, and injects code into it.

Variants of this family can use the following configuration files:

Typically, these configuration files are stored in the temporary directory of the user profile. The file names are based on the user login name combined with number 2 and a text file extension.

The contents of the configuration file are partially obfuscated. When you open the file in a text editor, for example: Notepad, it can reveal the location of the malware executable that created it, along with other un-readable text.

The configuration data contains the following items:

  • A list of Command and Control (C & C) servers
  • Encrypted copy of the executable file and its plugins
  • Anti-debugging options
  • Installation location
  • Persistence method
  • Remote Administration Tool (RAT) builder version
  • Spreading functionality

A more comprehensive list of configuration options includes:

  • C & C server list - can contain up to 20 individual entries
  • Botnet identification string
  • Installation directory and registry method for automatic startup (current user or local machine)
  • Keylogging functionality (enable or disable) and whether to upload logs to FTP server
  • Anti-debugging functionality (enable or disable) for:
    • Anubis
    • CWSandbox
    • JoeBox
    • Norman
    • Sandbox IE
    • SoftIce
    • ThreatExpert
    • Virtual PC
    • VirtualBox
    • VMware
  • Injection into another process, for example, explorer.exe
  • Mutex name, for example, Administrator5_SAIR
  • Version of the RAT builder, for example, 2.6
  • Spreading functionality can be through removable drives and peer-to-peer networks, only if P2P software is already installed
  • Password stealing functionality, for example, Google Chrome, Mozilla
  • Encrypted data containing an executable plugin, for example, information theft of browser passwords, user's contacts list, and HTTP proxy

The employed encryption algorithm is RC4 with a key embedded in the main executable as a regular string, for example, njgnjvejvorenwtrnionrionvironvrnv.

After the decryption, the MD5 digest of the plug-in is compared to a valid value stored inside the configuration file.

Spreads through…

Removable drives

Worm:Win32/Rebhip spreads by copying itself to all accessible removable drives using a variable name, including but not limited to the following:

  • task.exe
  • system.exe
  • winbackup.exe
  • windows.exe
  • update.exe

The worm then writes an autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.


Steals sensitive data

Worm:Win32/Rebhip can gather various information about your PC system, for example, details of which security software is installed and which processes or services are currently running.

It can also log your keystrokes and attempt to steal your passwords. Worm:Win32/Rebhip sends the information it collects to various remote hosts. For example, one variant was observed to contact for this purpose.

Additional information

Worm:Win32/Rebhip commonly uses the following mutexes:

  • _x_X_UPDATE_X_x_
  • _x_X_BLOCKMOUSE_X_x_

Analysis by Matt McCormack


The following can indicate that you have this threat on your PC:

  • You have these files:
  •  You see registry modifications such as:
    • In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
      Sets value: <value>, where <value> is variable
      With data: <worm location>

    • In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
      Sets value: <value>, where <value> is variable
      With data: <worm location>

    • In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
      Sets value: <value>, where <value> is variable
      With data: <worm location>

    • In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
      Sets value: <value>, where <value> is variable
      With data: <worm location> 


Alert level: Severe
First detected by definition: 1.95.2237.0
Latest detected by definition: 1.211.777.0 and higher
First detected on: Dec 21, 2010
This entry was first published on: Mar 25, 2011
This entry was updated on: Jun 02, 2015

This threat is also detected as:
No known aliases