Name: W32/Rexli-A Type: Win32 worm Date: 12 February 2002 At the time of writing Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers. Description: W32/Rexli-A is an email worm. When the worm is first executed it will display a fake error message with the text "Error while loading <filename>.", where <filename> will normally be linki.exe. It will then attempt to email a copy of itself to all addresses in the user's Outlook address book. The email will have the following characteristics: Subject: Cool linki Message body: Przesylam ci znaleziona baze danych linków. Jest tam duzo stron, których na pewno nie znasz Attachment: linki.exe The worm creates copies of itself named linki.exe and rexec.exe in the Windows system directory and replaces any .VBS files on the hard disk with a script which will attempt to run the worm. This script will be detected by this identity. W32/Rexli-A also uses mIRC to spread. It will replace the mIRC script.ini file with one which will send a copy of the worm to other IRC users. The new script.ini file will be detected by SAV as mIRC/Simp-Fam. A count of the number of times the worm has been run is kept in the registry key HKCU\Software\VB and VBA Program Settings\Rax\General\Runs When this number reaches 100 the worm will delete the files himem.sys, ifshlp.sys and win.com from the Windows directory and himem.sys from the Windows command\ebd directory. It will also modify autoexec.bat so that the next time the computer is booted the file internat.exe in the Windows directory will be renamed to internat.bak and replaced with a copy of the worm. Read the analysis at http://www.sophos.com/virusinfo/analyses/w32rexlia.html