Installation
Worm:Win32/Rebhip copies itself to a variable subdirectory in the <system folder> directory, and modifies the registry so its file is executed at each Windows start.
Commonly used subdirectories include the following:
- adobe
- booter
- chrome
- cmd
- conf.exe
- ctfmon
- dllcache
- dllinstall
- dlll32.exe
- driver
- drivers
- dxvi
- dynamicpkz
- explorer
- gameshadow
- google
- hosts
- idss.dll
- ins
- install
- instjs
- java
- messenger
- micro-soft
- microsoftupdater
- msn
- perfmonitor
- root
- rundll32
- sms
|
- spynet
- spynet54
- svchost
- svhost
- symantec
- sys
- sys32
- sysetm
- system
- system32
- tek9
- update
- update_flash
- v1rus
- win
- win32
- winboot
- winbooterr
- windiiir
- windir
- windll
- windows
- windowsdefender
- windowsupdate
- windr
- windupdt
- winlog
- winlogon
- winreg
- winupdate
|
And commonly used file names include the following:
- 2.exe
- adinss.exe
- atp.exe
- chrome.exe
- comddl1.exe
- conf.exe
- crisys2.exe
- crossfire.wallhack.exe
- cs.exe
- ctfmon.exe
- ddl.exe
- diagnose.exe
- dll.exe
- dll32.exe
- dss.exe
- dynamicpkz.exe
- epicbot.exe
- esplorer.exe
- explore.exe
- explorer.exe
- flash.exe
- gamer.exe
- hosts.exe
- iexplorer.exe
- iiexplorer.exe
- ijavaupdate.exe
- install.exe
- intall.exe
- ipdate.exe
- javaru.exe
- javascheds.exe
- jvclient.exe
- kaspersky.exe
- kb321009.exe
- keygen.exe
- khaled.exe
- lilly.exe
- mensssenger.exe
- microsoftupdate.exe
- microupdate.exe
- msconcat.exe
- msn.exe
- msnd.exe
- msnmsgr.exe
- netsniper.exe
- perfmon.exe
- photo.exe
- piccc.exe
- player.exe
- registry.exe
|
- rundll32.exe
- runescapekeylogger.exe
- scvhost.exe
- server.exe
- servertest.exe
- serves.exe
- service.exe
- servis.exe
- setting.exe
- setup.exe
- skype.exe
- smss.exe
- soft.exe
- spoolsvs.exe
- svchost.exe
- svchost22.exe
- svchosts.exe
- svchust.exe
- svhost.exe
- svhost32update.exe
- sysstem32.exe
- system.exe
- system.exe
- system32.exe
- systema.exe
- systemconfig.exe
- systemresh.exe
- testing.exe
- troublekeylogger.exe
- update.exe
- updater.exe
- win.exe
- win32.exe
- win_xp.exe
- winampagent.exe
- wincy.exe
- windll.exe
- windows.exe
- windowsdefender.exe
- windowsup.exe
- windowsupdate.exe
- winexplorer.exe
- winlog-updates.exe
- winlogin.exe
- winlogon.exe
- winnload.exe
- winserver.exe
- winupdate.exe
- wlcomm.exe
|
It should be noted that the worm is configurable, and could have any name.
It changes the following registry entries so that it runs each time you start your PC:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: <value>, where <value> is variable
With data: <worm location>
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: <value>, where <value> is variable
With data: <worm location>
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: <value>, where <value> is variable
With data: <worm location>
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: <value>, where <value> is variable
With data: <worm location>
Commonly, Worm:Win32/Rebhip opens a number of processes, including explorer.exe, and injects code into it.
Variants of this family can use the following configuration files:
Typically, these configuration files are stored in the temporary directory of the user profile. The file names are based on the user login name combined with number 2 and a text file extension.
The contents of the configuration file are partially obfuscated. When you open the file in a text editor, for example: Notepad, it can reveal the location of the malware executable that created it, along with other un-readable text.
The configuration data contains the following items:
- A list of Command and Control (C & C) servers
- Encrypted copy of the executable file and its plugins
- Anti-debugging options
- Installation location
- Persistence method
- Remote Administration Tool (RAT) builder version
- Spreading functionality
A more comprehensive list of configuration options includes:
- C & C server list - can contain up to 20 individual entries
- Botnet identification string
- Installation directory and registry method for automatic startup (current user or local machine)
- Keylogging functionality (enable or disable) and whether to upload logs to FTP server
- Anti-debugging functionality (enable or disable) for:
- Anubis
- CWSandbox
- JoeBox
- Norman
- Sandbox IE
- SoftIce
- ThreatExpert
- Virtual PC
- VirtualBox
- VMware
- Injection into another process, for example, explorer.exe
- Mutex name, for example, Administrator5_SAIR
- Version of the RAT builder, for example, 2.6
- Spreading functionality can be through removable drives and peer-to-peer networks, only if P2P software is already installed
- Password stealing functionality, for example, Google Chrome, Mozilla
- Encrypted data containing an executable plugin, for example, information theft of browser passwords, user's contacts list, and HTTP proxy
The employed encryption algorithm is RC4 with a key embedded in the main executable as a regular string, for example, njgnjvejvorenwtrnionrionvironvrnv.
After the decryption, the MD5 digest of the plug-in is compared to a valid value stored inside the configuration file.
Spreads through…
Removable drives
Worm:Win32/Rebhip spreads by copying itself to all accessible removable drives using a variable name, including but not limited to the following:
- task.exe
- system.exe
- winbackup.exe
- windows.exe
- update.exe
The worm then writes an autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
Payload
Steals sensitive data
Worm:Win32/Rebhip can gather various information about your PC system, for example, details of which security software is installed and which processes or services are currently running.
It can also log your keystrokes and attempt to steal your passwords. Worm:Win32/Rebhip sends the information it collects to various remote hosts. For example, one variant was observed to contact sly.fcuked.me.uk for this purpose.
Additional information
Worm:Win32/Rebhip commonly uses the following mutexes:
- _x_X_UPDATE_X_x_
- _x_X_PASSWORDLIST_X_x_
- _x_X_BLOCKMOUSE_X_x_
Analysis by Matt McCormack
