Follow:

 

Worm:Win32/Rebhip


Microsoft security software detects and removes this threat.

This worm can steal your sensitive information.

It spreads via infected removable drives, such as USB flash drives.



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Disable Autorun

This threat tries to use the Windows Autorun function to spread via removable drives, like USB flash drives. You can disable Autorun to prevent worms from spreading:

Scan removable drives

Remember to scan any removable or portable drives. If you have Microsoft security software, see this topic on our software help page:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Worm:Win32/Rebhip copies itself to a variable subdirectory in the <system folder> directory, and modifies the registry so its file is executed at each Windows start.

Commonly used subdirectories include the following:

  • adobe
  • booter
  • chrome
  • cmd
  • conf.exe
  • ctfmon
  • dllcache
  • dllinstall
  • dlll32.exe
  • driver
  • drivers
  • dxvi
  • dynamicpkz
  • explorer
  • gameshadow
  • google
  • hosts
  • idss.dll
  • ins
  • install
  • instjs
  • java
  • messenger
  • micro-soft
  • microsoftupdater
  • msn
  • perfmonitor
  • root
  • rundll32
  • sms
  • spynet
  • spynet54
  • svchost
  • svhost
  • symantec
  • sys
  • sys32
  • sysetm
  • system
  • system32
  • tek9
  • update
  • update_flash
  • v1rus
  • win
  • win32
  • winboot
  • winbooterr
  • windiiir
  • windir
  • windll
  • windows
  • windowsdefender
  • windowsupdate
  • windr
  • windupdt
  • winlog
  • winlogon
  • winreg
  • winupdate

And commonly used file names include the following:

  • 2.exe
  • adinss.exe
  • atp.exe
  • chrome.exe
  • comddl1.exe
  • conf.exe
  • crisys2.exe
  • crossfire.wallhack.exe
  • cs.exe
  • ctfmon.exe
  • ddl.exe
  • diagnose.exe
  • dll.exe
  • dll32.exe
  • dss.exe
  • dynamicpkz.exe
  • epicbot.exe
  • esplorer.exe
  • explore.exe
  • explorer.exe
  • flash.exe
  • gamer.exe
  • hosts.exe
  • iexplorer.exe
  • iiexplorer.exe
  • ijavaupdate.exe
  • install.exe
  • intall.exe
  • ipdate.exe
  • javaru.exe
  • javascheds.exe
  • jvclient.exe
  • kaspersky.exe
  • kb321009.exe
  • keygen.exe
  • khaled.exe
  • lilly.exe
  • mensssenger.exe
  • microsoftupdate.exe
  • microupdate.exe
  • msconcat.exe
  • msn.exe
  • msnd.exe
  • msnmsgr.exe
  • netsniper.exe
  • perfmon.exe
  • photo.exe
  • piccc.exe
  • player.exe
  • registry.exe
  • rundll32.exe
  • runescapekeylogger.exe
  • scvhost.exe
  • server.exe
  • servertest.exe
  • serves.exe
  • service.exe
  • servis.exe
  • setting.exe
  • setup.exe
  • skype.exe
  • smss.exe
  • soft.exe
  • spoolsvs.exe
  • svchost.exe
  • svchost22.exe
  • svchosts.exe
  • svchust.exe
  • svhost.exe
  • svhost32update.exe
  • sysstem32.exe
  • system..exe
  • system.exe
  • system32.exe
  • systema.exe
  • systemconfig.exe
  • systemresh.exe
  • testing.exe
  • troublekeylogger.exe
  • update.exe
  • updater.exe
  • win.exe
  • win32.exe
  • win_xp.exe
  • winampagent.exe
  • wincy.exe
  • windll.exe
  • windows.exe
  • windowsdefender.exe
  • windowsup.exe
  • windowsupdate.exe
  • winexplorer.exe
  • winlog-updates.exe
  • winlogin.exe
  • winlogon.exe
  • winnload.exe
  • winserver.exe
  • winupdate.exe
  • wlcomm.exe

It should be noted that the worm is configurable, and could have any name.

The worm modifies the following registry entries to ensure that its copy executes at each Windows start:

In subkeys:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Sets value: <value>
With data: <worm location>

where <value> is variable.

Commonly, Worm:Win32/Rebhip opens a number of processes, including explorer.exe, and injects code into it.

Spreads via…

Removable drives

Worm:Win32/Rebhip spreads by copying itself to all accessible removable drives using a variable name, including but not limited to the following:

  • task.exe
  • system.exe
  • winbackup.exe
  • windows.exe
  • update.exe

The worm then writes an autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.

Payload

Steals sensitive data

Worm:Win32/Rebhip can gather various information about your PC system, for example, details of which security software is installed and which processes or services are currently running.

It can also log your keystrokes and attempt to steal your passwords. Worm:Win32/Rebhip sends the information it collects to various remote hosts. For example, one variant was observed to contact sly.fcuked.me.uk for this purpose.

Additional information

Worm:Win32/Rebhip commonly uses the following mutexes:

  • _x_X_UPDATE_X_x_
  • _x_X_PASSWORDLIST_X_x_
  • _x_X_BLOCKMOUSE_X_x_

Analysis by Matt McCormack


Symptoms

Alerts from your security software may be the only symptom.


Prevention


Alert level: Severe
First detected by definition: 1.95.2237.0
Latest detected by definition: 1.187.322.0 and higher
First detected on: Dec 21, 2010
This entry was first published on: Mar 25, 2011
This entry was updated on: Sep 15, 2014

This threat is also detected as:
No known aliases