Follow:

 

Worm:Win32/Rebhip.A


Microsoft security software detects and removes this threat.

This worm can steal your sensitive information.

It spreads through infected removable drives, such as USB flash drives.

Find out ways that malware can get on your PC.  



What to do now

Use the following free Microsoft software to detect and remove this threat:

You must also run a full scan. A full scan might find other hidden malware.

Disable Autorun

This threat tries to use the Windows Autorun function to spread via removable drives, like USB flash drives. You can disable Autorun to prevent worms from spreading:

Scan removable drives

Remember to scan any removable or portable drives. If you have Microsoft security software, see this topic on our software help page:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

This threat drops a copy of itself to a folder with a random file and folder name, such as:

It changes the following registry entry so that it runs each time you start your PC:

In subkey: HKLM\Software\Microsoft\Active Setup\Installed Components\{<GUID>}            
Sets value: "StubPath"
With data: "<location and name of malware file>.exe restart" 

For example:
In subkey: HKLM\Software\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}
Sets value: "StubPath"
With data: “%windir%\system32\install\server.exe restart

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "Policies"   
where the value might vary for some samples
With data: "<location and name of malware file>.exe restart
For example: "%windir%\system32\install\server.exe"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "Policies"   
where the value might vary for some samples
With data: "<location and name of malware file>.exe restart"    
For example: "%windir%\system32\install\server.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<Random>"        
Where the value can be HKLM or a dropped file name
With data: "<location and name of malware file>.exe restart
For example: "%windir%\system32\install\server.exe"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<Random>"         
where the value can be HKCU, or a dropped file name
With data: "<location and name of malware file>.exe restart
For example: "%windir%\system32\install\server.exe"

This threat might also open the Internet Explorer or Windows Explorer process (iexplore.exe or explorer.exe) and inject code in it. The injected code is a .dll component payload that is extracted from the copy of the dropped malware. 

It also creates the following mutex. This could be an infection marker to prevent more than one copy of the threat running on your PC.:

  • <USER NAME><RANDOM DIGIT> for example: Administrator2
  • _x_X_UPDATE_X_x_
  • _x_X_PASSWORDLIST_X_x_
  • _x_X_BLOCKMOUSE_X_x_
  • ***<mutex name>***
  • ***<mutex name>***_PERSIST ;
  • ***<mutex name>***_SAIR    
    Where the "<mutext name>" can be a random string of letters and number 
Spreads via...

Removable drives

This worm spreads by copying itself with one of the following file names to all accessible removable drives:

  • system.exe
  • task.exe
  • update.exe
  • winbackup.exe
  • windows.exe

It also creates an autorun.inf file in the root folder of the removable drive. The file has instructions to launch the malware automatically when the removable drive is connected to a PC with the Autorun feature turned on.

This is a common way for malware to spread. However, autorun.inf files on their own are not necessarily a sign of infection, they are also used by legitimate programs.

Payload

Steals sensitive data

Worm:Win32/Rebhip.A  can gather various sensitive information about your PC such as:

  • System information including:
    • Computer name
    • CPU and memory information
    • IP address
    • Network adapter
    • Operating system
  • List of running processes
  • Installed antivirus or security software
  • RAS user accounts
  • Mozilla Firefox user names and password
  • Google Chrome user names and password
  • MSN settings and contact list
  • FTP account

It stores some of the data it collects in the following files:

Files

Notes 
%TEMP%\xx--xx--xx.txt Contains logged data
%APPDATA%\<user name>.dat Contains logged data, filename
%APPDATA% \<random>.dat 

Contains logged data
For example, logs.dat 

%TEMP%\<user name><digit>.txt  For example: administrator2.txt  
%TEMP%\UuU.uUu  Contains current computer time in HH:MM:SS format 
%TEMP%\XxX.xXx  Contains current computer time in HH:MM:SS format 

 

It sends the logged and collected information to a remote server. Some of the command and control (C&C) servers we have seen it try to connect to in the wild are:

  • extremesc.no-ip.org
  • hopto.dynu.com
  • mateusmacedo.no-ip.org
  • ralacapeta.no-ip.biz
  • zerocool6.no-ip.biz
Changes internet security settings

The worm changes your internet security settings, possibly so it can access websites that otherwise would be blocked from loading.
It does this by changing the following registry entry:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Sets value: "ProxyBypass"
With data: "1" 

Additional information

The worm changes the registry to keep track of when it was installed on your PC. It might do this so it knows when it downloads an updated version of itself. The changes are:

In subkey: HKCU\Software\SlysBitch              
where recent Rebhip samples use random keys
Sets value: "FirstExecution"
With data: "<current date and time>" for example:  "15/09/2014 -- 15:03"

Sets value: "NewIdentification"
With data: "SlysBitch"                                     
where recent Rebhip samples use random registry data 

Related information

Keeping Kerrigan from Infection - Microsoft Malware Protection Center blog, July 2010

A Happy Thanksgiving from Rebhip? - Microsoft Malware Protection Center blog, November 2010

Social Engineering Advice - Microsoft Security Intelligence Report featured article

Analysis by Rex Plantado


Symptoms

The following can indicate that you have this threat on your PC:

In subkey: HKLM\Software\Microsoft\Active Setup\Installed Components\{<GUID>}            
Sets value: "StubPath"
With data: "<location and name of malware file>.exe restart" 

For example:
In subkey: HKLM\Software\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}
Sets value: "StubPath"
With data: “%windir%\system32\install\server.exe restart

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "Policies"   
where the value might vary for some samples
With data: "<location and name of malware file>.exe restart
For example: "%windir%\system32\install\server.exe"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "Policies"   
where the value might vary for some samples
With data: "<location and name of malware file>.exe restart"    
For example: "%windir%\system32\install\server.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<Random>"        
Where the value can be HKLM or a dropped file name
With data: "<location and name of malware file>.exe restart
For example: "%windir%\system32\install\server.exe"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<Random>"         
where the value can be HKCU, or a dropped file name
With data: "<location and name of malware file>.exe restart
For example: "%windir%\system32\install\server.exe"


Prevention


Alert level: Severe
First detected by definition: 1.71.71.0
Latest detected by definition: 1.187.178.0 and higher
First detected on: Nov 20, 2009
This entry was first published on: Dec 23, 2009
This entry was updated on: Oct 06, 2014

This threat is also detected as:
  • Trojan.Win32.Llac.aaf (Kaspersky)
  • Win32/Spatet.A (ESET)
  • Trj/Spy.YM (Panda)