Follow:

 

Worm:Win32/Rebhip.A


Worm:Win32/Rebhip.A is a worm that spreads via removable drives. It tries to steal sensitive information from your computer.


What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Disable Autorun functionality

This threat attempts to spread via removable drives on computers that support Autorun functionality. This is a particularly common method of spreading for many current malware families. For information on disabling Autorun functionality, please see the following article:
http://support.microsoft.com/kb/967715/

Threat behavior

Installation

Worm:Win32/Rebhip.A copies itself to your computer as the following file:

<system folder>\WinDefence\windefence32.exe

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista7, and W8 it is "C:\Windows\System32".

It creates the following registry entry so that it runs every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "WinDefence"
With data: "<system folder>\WinDefence\windefence32.exe"

It may also further create the following copies in your computer:

  • <system folder>\taskmanager\task.exe
  • <system folder>\install\system.exe
  • <system folder>\backup\winbackup.exe
  • <system folder>\windows\windows.exe
  • %windir%\install\update.exe

Worm:Win32/Rebhip.A may also open the Internet Explorer process, "iexplore.exe" and inject code into it.

Spreads via...

Removable drives

Worm:Win32/Rebhip.A spreads by copying itself to all accessible removable drives using one of the following file names:

  • task.exe
  • system.exe
  • winbackup.exe
  • windows.exe
  • update.exe

The worm then writes an Autorun configuration file named "autorun.inf", pointing to the worm copy. If the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.

Payload

Steals sensitive data

Worm:Win32/Rebhip.A may gather various information about your computer, for example, what security software is installed, and which processes or services are currently running. It may also log keystrokes and gather passwords. Worm:Win32/Rebhip.A sends its collected data to remote attackers.

Additional information

Worm:Win32/Rebhip.A makes the following additional registry change:

In subkey: HKCU\Software\SlysBitch
Sets value: "FirstExecution"
With data: "<current date and time>" (for example: "21/12/2009 -- 03:58")
Sets value: "NewIdentification"
With data: "SlysBitch"

It also creates the following files:

  • %Temp%\uuu.uuu
  • %Temp%\xxx.xxx

Both files contain the current computer time.

Analysis by Andrei Florin Saygo


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:
    • <system folder>\WinDefence\windefence32.exe
    • <system folder>\taskmanager\task.exe
    • <system folder>\install\system.exe
    • <system folder>\backup\winbackup.exe
    • <system folder>\windows\windows.exe
    • %windir%\install\update.exe
    • %Temp%\uuu.uuu
    • %Temp%\xxx.xxx
  • The presence of the following registry modification:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
    Sets value: "WinDefence"
    With data: "<system folder>\WinDefence\windefence32.exe"


Prevention


Alert level: Severe
First detected by definition: 1.71.71.0
Latest detected by definition: 1.183.1283.0 and higher
First detected on: Nov 20, 2009
This entry was first published on: Dec 23, 2009
This entry was updated on: Dec 18, 2012

This threat is also detected as:
  • Trojan.Win32.Llac.aaf (Kaspersky)
  • Win32/Spatet.A (ESET)
  • Trj/Spy.YM (Panda)