McAfee > Theat Center > Virus Detail Page

Overview

W32/Realor.worm scans the infected machine for existing RealMedia (*.rmvb) files and insert a malicious external hyperlink. When these *.rmvb files are opened, the user's media player may load an external webpage containing an exploit using the preconfigured web browser (e.g. Internet Explorer).

Characteristics

W32/Realor.worm scans the infected machine for existing RealMedia (*.rmvb) files and insert a malicious external hyperlink. When these *.rmvb files are viewed, the user's media player may load an external webpage containing an exploit using the preconfigured web browser (e.g. Internet Explorer).

A command-line utility that is part of the Real Helix Producer software, is dropped and used by W32/Realor.worm for inserting a RealMedia event in *.rmvb files.

At the time of writing, these modified *.rmvb files opens a webpage hosted on:

• krv(hidden).com

and this website was hosting a variant of Exploit-MS06-014 which can install a copy of W32/Lewor.a on systems vulnerable to this exploit. To the user, this website may just be displaying a harmless error message, but silently loads the exploit an a hidden IFRAME object.

Symptoms

1) Presence of one or more of the following file(s):

• %Windir%\System32\rmincon.exe (W32/Realor.worm)
• %Windir%\System32\rmevents.exe (Real Helix Producer)
• %Windir%\System32\rmevents(random).exe (Real Helix Producer)
• %Windir%\System32\Tools\rmto3260.dll (Real Helix Producer)

(Real Helix Producer is a RealMedia editor which has its legitimate uses)

2) When RealPlayer is not installed on the infected machine, an error message box reporting the following file(s) missing:

• pncrt.dll

3) Presence of the following Windows registry key(s):

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"rmicon" = "%Windir%\System32\rmincon.exe"

(Where %Windir% is the Windows folder, e.g. C:\Windows)

4) Unexpected lauching of unknown websites while viewing local *.rmvb files, such as:

• krv(hidden).com

Method of Infection

W32/Realor.worm scans the infected machine for existing RealMedia (*.rmvb) files and insert a malicious external hyperlink. When these *.rmvb files are viewed, the user's media player may load an external webpage containing an exploit using the preconfigured web browser (e.g. Internet Explorer).

The exploit may install a copy of W32/Realor.worm, W32/Lewor.a or other malware on vulnerable systems.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

W32/Realor.worm scans the infected machine for existing RealMedia (*.rmvb) files and insert a malicious external hyperlink. When these *.rmvb files are opened, the user's media player may load an external webpage containing an exploit using the preconfigured web browser (e.g. Internet Explorer).

Characteristics

Characteristics -

W32/Realor.worm scans the infected machine for existing RealMedia (*.rmvb) files and insert a malicious external hyperlink. When these *.rmvb files are viewed, the user's media player may load an external webpage containing an exploit using the preconfigured web browser (e.g. Internet Explorer).

A command-line utility that is part of the Real Helix Producer software, is dropped and used by W32/Realor.worm for inserting a RealMedia event in *.rmvb files.

At the time of writing, these modified *.rmvb files opens a webpage hosted on:

• krv(hidden).com

and this website was hosting a variant of Exploit-MS06-014 which can install a copy of W32/Lewor.a on systems vulnerable to this exploit. To the user, this website may just be displaying a harmless error message, but silently loads the exploit an a hidden IFRAME object.

Symptoms

Symptoms -

1) Presence of one or more of the following file(s):

• %Windir%\System32\rmincon.exe (W32/Realor.worm)
• %Windir%\System32\rmevents.exe (Real Helix Producer)
• %Windir%\System32\rmevents(random).exe (Real Helix Producer)
• %Windir%\System32\Tools\rmto3260.dll (Real Helix Producer)

(Real Helix Producer is a RealMedia editor which has its legitimate uses)

2) When RealPlayer is not installed on the infected machine, an error message box reporting the following file(s) missing:

• pncrt.dll

3) Presence of the following Windows registry key(s):

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"rmicon" = "%Windir%\System32\rmincon.exe"

(Where %Windir% is the Windows folder, e.g. C:\Windows)

4) Unexpected lauching of unknown websites while viewing local *.rmvb files, such as:

• krv(hidden).com

Method of Infection

Method of Infection -

W32/Realor.worm scans the infected machine for existing RealMedia (*.rmvb) files and insert a malicious external hyperlink. When these *.rmvb files are viewed, the user's media player may load an external webpage containing an exploit using the preconfigured web browser (e.g. Internet Explorer).

The exploit may install a copy of W32/Realor.worm, W32/Lewor.a or other malware on vulnerable systems.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A