Home / malwarePDF  

Worm:Win32/Rebhip


First posted on 20 May 2019.
Source: Microsoft

Aliases :

There are no other names known for Worm:Win32/Rebhip.

Explanation :

Installation

Worm:Win32/Rebhip copies itself to a variable subdirectory in the  directory, and modifies the registry so its file is executed at each Windows start.

Commonly used subdirectories include the following:

adobe booter chrome cmd conf.exe ctfmon dllcache dllinstall dlll32.exe driver drivers dxvi dynamicpkz explorer gameshadow google hosts idss.dll ins install instjs java messenger micro-soft microsoftupdater msn perfmonitor root rundll32 sms spynet spynet54 svchost svhost symantec sys sys32 sysetm system system32 tek9 update update_flash v1rus win win32 winboot winbooterr windiiir windir windll windows windowsdefender windowsupdate windr windupdt winlog winlogon winreg winupdate

And commonly used file names include the following:

2.exe adinss.exe atp.exe chrome.exe comddl1.exe conf.exe crisys2.exe crossfire.wallhack.exe cs.exe ctfmon.exe ddl.exe diagnose.exe dll.exe dll32.exe dss.exe dynamicpkz.exe epicbot.exe esplorer.exe explore.exe explorer.exe flash.exe gamer.exe hosts.exe iexplorer.exe iiexplorer.exe ijavaupdate.exe install.exe intall.exe ipdate.exe javaru.exe javascheds.exe jvclient.exe kaspersky.exe kb321009.exe keygen.exe khaled.exe lilly.exe mensssenger.exe microsoftupdate.exe microupdate.exe msconcat.exe msn.exe msnd.exe msnmsgr.exe netsniper.exe perfmon.exe photo.exe piccc.exe player.exe registry.exe rundll32.exe runescapekeylogger.exe scvhost.exe server.exe servertest.exe serves.exe service.exe servis.exe setting.exe setup.exe skype.exe smss.exe soft.exe spoolsvs.exe svchost.exe svchost22.exe svchosts.exe svchust.exe svhost.exe svhost32update.exe sysstem32.exe system.exe system.exe system32.exe systema.exe systemconfig.exe systemresh.exe testing.exe troublekeylogger.exe update.exe updater.exe win.exe win32.exe win_xp.exe winampagent.exe wincy.exe windll.exe windows.exe windowsdefender.exe windowsup.exe windowsupdate.exe winexplorer.exe winlog-updates.exe winlogin.exe winlogon.exe winnload.exe winserver.exe winupdate.exe wlcomm.exe

It should be noted that the worm is configurable, and could have any name.

It changes the following registry entries so that it runs each time you start your PC:

In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun
Sets value: , where is variable 
With data:

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
Sets value: , where is variable
With data:

In subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Sets value: , where is variable
With data:

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Sets value: , where is variable
With data:

Commonly, Worm:Win32/Rebhip opens a number of processes, including explorer.exe, and injects code into it.

Variants of this family can use the following configuration files:

%TEMP% Admin2.txt %TEMP% Administrator2.txt %TEMP% Ibrahim2.txt %TEMP%User2.txt

Typically, these configuration files are stored in the temporary directory of the user profile. The file names are based on the user login name combined with number 2 and a text file extension.

The contents of the configuration file are partially obfuscated. When you open the file in a text editor, for example: Notepad, it can reveal the location of the malware executable that created it, along with other un-readable text.

The configuration data contains the following items:

A list of Command and Control (C & C) servers Encrypted copy of the executable file and its plugins Anti-debugging options Installation location Persistence method Remote Administration Tool (RAT) builder version Spreading functionality

A more comprehensive list of configuration options includes:

C & C server list - can contain up to 20 individual entries Botnet identification string Installation directory and registry method for automatic startup (current user or local machine) Keylogging functionality (enable or disable) and whether to upload logs to FTP server Anti-debugging functionality (enable or disable) for: Anubis CWSandbox JoeBox Norman Sandbox IE SoftIce ThreatExpert Virtual PC VirtualBox VMware Injection into another process, for example, explorer.exe Mutex name, for example, Administrator5_SAIR Version of the RAT builder, for example, 2.6 Spreading functionality can be through removable drives and peer-to-peer networks, only if P2P software is already installed Password stealing functionality, for example, Google Chrome, Mozilla Encrypted data containing an executable plugin, for example, information theft of browser passwords, user's contacts list, and HTTP proxy

The employed encryption algorithm is RC4 with a key embedded in the main executable as a regular string, for example, njgnjvejvorenwtrnionrionvironvrnv.

After the decryption, the MD5 digest of the plug-in is compared to a valid value stored inside the configuration file.

Spreads through…

Removable drives

Worm:Win32/Rebhip spreads by copying itself to all accessible removable drives using a variable name, including but not limited to the following:

task.exe system.exe winbackup.exe windows.exe update.exe

The worm then writes an autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.

Payload

Steals sensitive data

Worm:Win32/Rebhip can gather various information about your PC system, for example, details of which security software is installed and which processes or services are currently running.

It can also log your keystrokes and attempt to steal your passwords. Worm:Win32/Rebhip sends the information it collects to various remote hosts. For example, one variant was observed to contact sly.fcuked.me.uk for this purpose.

Additional information

Worm:Win32/Rebhip commonly uses the following mutexes:

_x_X_UPDATE_X_x_ _x_X_PASSWORDLIST_X_x_ _x_X_BLOCKMOUSE_X_x_

Analysis by Matt McCormack

Last update 20 May 2019

 

TOP