Home / malware Worm:Win32/Rebhip.U
First posted on 08 March 2019.
Source: MicrosoftAliases :
There are no other names known for Worm:Win32/Rebhip.U.
Explanation :
Installation
This worm is typically installed through removable drives and attempts to steal sensitive information from the affected PC.
Variants of this family can use the following configuration files:
%TEMP% Admin2.txt %TEMP% Administrator2.txt %TEMP% Ibrahim2.txt %TEMP%User2.txt
Typically, these configuration files are stored in the temporary directory of the user profile. The file names are based on the user login name combined with number 2 and a text file extension.
The contents of the configuration file are partially obfuscated. When you open the file in a text editor, for example: Notepad, it can reveal the location of the malware executable that created it, along with other un-readable text.
The configuration data contains the following items:
A list of Command and Control (C & C) servers Encrypted copy of the executable file and its plugins Anti-debugging options Installation location Persistence method Remote Administration Tool (RAT) builder version Spreading functionality
A more comprehensive list of configuration options includes:
C & C server list - can contain up to 20 individual entries Botnet identification string Installation directory and registry method for automatic startup (current user or local machine) Keylogging functionality (enable or disable) and whether to upload logs to FTP server Anti-debugging functionality (enable or disable) for: Anubis CWSandbox JoeBox Norman Sandbox IE SoftIce ThreatExpert Virtual PC VirtualBox VMware Injection into another process, for example, explorer.exe Mutex name, for example, Administrator5_SAIR Version of the RAT builder, for example, 2.6 Spreading functionality can be through removable drives and peer-to-peer networks, only if P2P software is already installed Password stealing functionality, for example, Google Chrome, Mozilla Encrypted data containing an executable plugin, for example, information theft of browser passwords, user's contacts list, and HTTP proxy
The employed encryption algorithm is RC4 with a key embedded in the main executable as a regular string, for example, njgnjvejvorenwtrnionrionvironvrnv.
After the decryption, the MD5 digest of the plug-in is compared to a valid value stored inside the configuration file.
Spreads through
Removable drives
This worm can spread by creating files on network or removable drives, such as USB flash drives.
Payload
Steals sensitive data
It can gather various information about your PC system, for example, details of which security software is installed and which processes or services are currently running.
It can also log your keystrokes and attempt to steal your passwords. The worm sends the information it collects to various remote hosts. For example, one variant was observed to contact sly.fcuked.me.uk for this purpose.Last update 08 March 2019
