W32/Rexli-A

Name: W32/Rexli-A
Type: Win32 worm
Date: 12 February 2002

At the time of writing Sophos has received no reports from users
affected by this worm. However, we have issued this advisory
following enquiries to our support department from customers.

Description:

W32/Rexli-A is an email worm. When the worm is first executed it
will display a fake error message with the text "Error while
loading <filename>.", where <filename> will normally be
linki.exe.

It will then attempt to email a copy of itself to all addresses
in the user's Outlook address book. The email will have the
following characteristics:

Subject: Cool linki
Message body: Przesylam ci znaleziona baze danych linków. Jest
tam duzo stron, których na pewno nie znasz
Attachment: linki.exe

The worm creates copies of itself named linki.exe and rexec.exe
in the Windows system directory and replaces any .VBS files on
the hard disk with a script which will attempt to run the worm.
This script will be detected by this identity.

W32/Rexli-A also uses mIRC to spread. It will replace the mIRC
script.ini file with one which will send a copy of the worm to
other IRC users. The new script.ini file will be detected by SAV
as mIRC/Simp-Fam.

A count of the number of times the worm has been run is kept in
the registry key

HKCU\Software\VB and VBA Program Settings\Rax\General\Runs

When this number reaches 100 the worm will delete the files
himem.sys, ifshlp.sys and win.com from the Windows directory and
himem.sys from the Windows command\ebd directory. It will also
modify autoexec.bat so that the next time the computer is booted
the file internat.exe in the Windows directory will be renamed
to internat.bak and replaced with a copy of the worm.


Read the analysis at
http://www.sophos.com/virusinfo/analyses/w32rexlia.html