Follow:

 

Worm:Win32/Rebhip


Worm:Win32/Rebhip is a worm that spreads via removable drives and attempts to steal sensitive information from an affected computer.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:
 
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Worm:Win32/Rebhip is a worm that spreads via removable drives and attempts to steal sensitive information from an affected computer.

Installation

When executed, Worm:Win32/Rebhip copies itself to a variable subdirectory in the <system folder> directory, and modifies the registry so its file is executed at each Windows start.

Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

Commonly used subdirectories include the following:

  • adobe
  • booter
  • chrome
  • cmd
  • conf.exe
  • ctfmon
  • dllcache
  • dllinstall
  • dlll32.exe
  • driver
  • drivers
  • dxvi
  • dynamicpkz
  • explorer
  • gameshadow
  • google
  • hosts
  • idss.dll
  • ins
  • install
  • instjs
  • java
  • messenger
  • micro-soft
  • microsoftupdater
  • msn
  • perfmonitor
  • root
  • rundll32
  • sms
  • spynet
  • spynet54
  • svchost
  • svhost
  • symantec
  • sys
  • sys32
  • sysetm
  • system
  • system32
  • tek9
  • update
  • update_flash
  • v1rus
  • win
  • win32
  • winboot
  • winbooterr
  • windiiir
  • windir
  • windll
  • windows
  • windowsdefender
  • windowsupdate
  • windr
  • windupdt
  • winlog
  • winlogon
  • winreg
  • winupdate

And commonly used file names include the following:

  • 2.exe
  • adinss.exe
  • atp.exe
  • chrome.exe
  • comddl1.exe
  • conf.exe
  • crisys2.exe
  • crossfire.wallhack.exe
  • cs.exe
  • ctfmon.exe
  • ddl.exe
  • diagnose.exe
  • dll.exe
  • dll32.exe
  • dss.exe
  • dynamicpkz.exe
  • epicbot.exe
  • esplorer.exe
  • explore.exe
  • explorer.exe
  • flash.exe
  • gamer.exe
  • hosts.exe
  • iexplorer.exe
  • iiexplorer.exe
  • ijavaupdate.exe
  • install.exe
  • intall.exe
  • ipdate.exe
  • javaru.exe
  • javascheds.exe
  • jvclient.exe
  • kaspersky.exe
  • kb321009.exe
  • keygen.exe
  • khaled.exe
  • lilly.exe
  • mensssenger.exe
  • microsoftupdate.exe
  • microupdate.exe
  • msconcat.exe
  • msn.exe
  • msnd.exe
  • msnmsgr.exe
  • netsniper.exe
  • perfmon.exe
  • photo.exe
  • piccc.exe
  • player.exe
  • registry.exe
  • rundll32.exe
  • runescapekeylogger.exe
  • scvhost.exe
  • server.exe
  • servertest.exe
  • serves.exe
  • service.exe
  • servis.exe
  • setting.exe
  • setup.exe
  • skype.exe
  • smss.exe
  • soft.exe
  • spoolsvs.exe
  • svchost.exe
  • svchost22.exe
  • svchosts.exe
  • svchust.exe
  • svhost.exe
  • svhost32update.exe
  • sysstem32.exe
  • system..exe
  • system.exe
  • system32.exe
  • systema.exe
  • systemconfig.exe
  • systemresh.exe
  • testing.exe
  • troublekeylogger.exe
  • update.exe
  • updater.exe
  • win.exe
  • win32.exe
  • win_xp.exe
  • winampagent.exe
  • wincy.exe
  • windll.exe
  • windows.exe
  • windowsdefender.exe
  • windowsup.exe
  • windowsupdate.exe
  • winexplorer.exe
  • winlog-updates.exe
  • winlogin.exe
  • winlogon.exe
  • winnload.exe
  • winserver.exe
  • winupdate.exe
  • wlcomm.exe

It should be noted that the worm is configurable, and as such could have any name.

The worm modifies the following registry entries to ensure that its copy executes at each Windows start:

In subkeys: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: <value>
With data: <worm location>

where <value> is variable.

Commonly, Worm:Win32/Rebhip may also open a number of processes, including explorer.exe, and inject code into it.

Spreads via…

Removable drives
Worm:Win32/Rebhip spreads by copying itself to all accessible removable drives using a variable name, including but not limited to the following:

  • task.exe
  • system.exe
  • winbackup.exe
  • windows.exe
  • update.exe

The worm then writes an autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.

Payload

Steals sensitive data
Worm:Win32/Rebhip may gather various information about the system, for example, details of which security software is installed on the system, and which processes or services are currently running. It may also log keystrokes and attempt to gather passwords. Worm:Win32/Rebhip sends its collected data to various remote hosts. For example, one variant was observed to contact sly.fcuked.me.uk for this purpose.

Additional information

Worm:Win32/Rebhip commonly uses the following mutexes:

  • _x_X_UPDATE_X_x_
  • _x_X_PASSWORDLIST_X_x_
  • _x_X_BLOCKMOUSE_X_x_

Analysis by Matt McCormack


Symptoms

Alert notifications or detections of this malware from installed antivirus or security software may be the only other symptoms.


Prevention


Alert level: Severe
First detected by definition: 1.95.2237.0
Latest detected by definition: 1.183.21.0 and higher
First detected on: Dec 21, 2010
This entry was first published on: Mar 25, 2011
This entry was updated on: Apr 17, 2011

This threat is also detected as:
No known aliases