W32/Rexli-A

Discussion in 'malware problems & news' started by FanJ, Feb 12, 2002.

Thread Status:
Not open for further replies.
  1. FanJ
    Online

    FanJ Guest

    Name: W32/Rexli-A
    Type: Win32 worm
    Date: 12 February 2002

    At the time of writing Sophos has received no reports from users
    affected by this worm. However, we have issued this advisory
    following enquiries to our support department from customers.

    Description:

    W32/Rexli-A is an email worm. When the worm is first executed it
    will display a fake error message with the text "Error while
    loading <filename>.", where <filename> will normally be
    linki.exe.

    It will then attempt to email a copy of itself to all addresses
    in the user's Outlook address book. The email will have the
    following characteristics:

    Subject: Cool linki
    Message body: Przesylam ci znaleziona baze danych linków. Jest
    tam duzo stron, których na pewno nie znasz :)
    Attachment: linki.exe

    The worm creates copies of itself named linki.exe and rexec.exe
    in the Windows system directory and replaces any .VBS files on
    the hard disk with a script which will attempt to run the worm.
    This script will be detected by this identity.

    W32/Rexli-A also uses mIRC to spread. It will replace the mIRC
    script.ini file with one which will send a copy of the worm to
    other IRC users. The new script.ini file will be detected by SAV
    as mIRC/Simp-Fam.

    A count of the number of times the worm has been run is kept in
    the registry key

    HKCU\Software\VB and VBA Program Settings\Rax\General\Runs

    When this number reaches 100 the worm will delete the files
    himem.sys, ifshlp.sys and win.com from the Windows directory and
    himem.sys from the Windows command\ebd directory. It will also
    modify autoexec.bat so that the next time the computer is booted
    the file internat.exe in the Windows directory will be renamed
    to internat.bak and replaced with a copy of the worm.


    Read the analysis at
    http://www.sophos.com/virusinfo/analyses/w32rexlia.html
Thread Status:
Not open for further replies.