Content

W32/RAHack!htm

Type
Trojan
SubType
Win32
Discovery Date
12/11/2006
Length
Varies
Minimum DAT
4916 (12/11/2006)
Updated DAT
4942 (01/18/2007)
Minimum Engine
5.1.00
Description Added
12/11/2006
Description Modified
03/29/2007 5:47 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Infected .HTM and .HTML files have a HTML [OBJECT] tag inserted immediately after the opening [HTML] tag.

This [OBJECT] tag contains the following data:

  • Type = "application x-oleobject"
  • CLASSID= "CLSID:[GUID]"

Where the [GUID] value consisting of alpha-numeric characters references a CLASSID in the HKEY_CLASSES_ROOT\CLSID key. New sub-keys are created using seemingly random characters. An example key is described below showing the value names and associated data:

  • Sub-key = {0BD9D438-2B62-1078-724B-E27EBD7F7A8F}
    • Name = "Default"
    • Value = "nelkhhwhvknnkkbb"
  • Sub-key = "LocalServer32"
  • Value = "[path]"

Where [path] represents a path to a dropped copy of the W32/RAHack virus.

If infected .HTM(L) files are loaded and rendered in a web browser the associated (via the registry and CLASSID) W32/RAHack virus will be executed as a system application (i.e. as a system service).

Symptoms

  • Increased size of .HTM and .HTML files
    • Files infected by this variant increase by 104 bytes
  • Presence of [OBJECT] tags inserted after the initial [HTML] tag, into files with aforementioned extensions

Method of Infection

Infection occurs after a system has been infected with the W32/RAHack virus.

Please view the W32/RAHack description for more information on this threat.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

W32/RAHack infects .HTM and .HTML files by inserting malicious code that, when rendered by a web browser, will cause execution of another instance of W32/RAHack virus.

Characteristics

Characteristics -

Infected .HTM and .HTML files have a HTML [OBJECT] tag inserted immediately after the opening [HTML] tag.

This [OBJECT] tag contains the following data:

  • Type = "application x-oleobject"
  • CLASSID= "CLSID:[GUID]"

Where the [GUID] value consisting of alpha-numeric characters references a CLASSID in the HKEY_CLASSES_ROOT\CLSID key. New sub-keys are created using seemingly random characters. An example key is described below showing the value names and associated data:

  • Sub-key = {0BD9D438-2B62-1078-724B-E27EBD7F7A8F}
    • Name = "Default"
    • Value = "nelkhhwhvknnkkbb"
  • Sub-key = "LocalServer32"
  • Value = "[path]"

Where [path] represents a path to a dropped copy of the W32/RAHack virus.

If infected .HTM(L) files are loaded and rendered in a web browser the associated (via the registry and CLASSID) W32/RAHack virus will be executed as a system application (i.e. as a system service).

Symptoms

Symptoms -

  • Increased size of .HTM and .HTML files
    • Files infected by this variant increase by 104 bytes
  • Presence of [OBJECT] tags inserted after the initial [HTML] tag, into files with aforementioned extensions

Method of Infection

Method of Infection -

Infection occurs after a system has been infected with the W32/RAHack virus.

Please view the W32/RAHack description for more information on this threat.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A