Content

W32/Rabb.worm

Type
Virus
SubType
Internet Worm
Discovery Date
04/12/2007
Length
Varies
Minimum DAT
5007 (04/12/2007)
Updated DAT
5011 (04/17/2007)
Minimum Engine
5.1.00
Description Added
04/12/2007
Description Modified
04/12/2007 3:58 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

W32/Rabb.worm is a destructive worm that overwrites and replaces executable *.EXE files. It can also make copies onto removable media and mounted network drives. As executable files are overwritten and not infected, affected *.EXE files cannot be repaired and must be restored from backup.

Upon execution, the worm drops one or more files in the following hardcoded pathname(s):

  • C:\WINDOWS\system32\JK.exe (W32/Rabb.worm)
  • C:\WINDOWS\system32\love.bat (W32/Rabb!bat)
  • C:\WINDOWS\system32\loveRabbit.bat (W32/Rabb!bat)
  • C:\WINDOWS\system32\loveRabbit.exe (W32/Rabb.worm)
  • C:\WINDOWS\system32\msexch400.dll (W32/Rabb.dll)
  • C:\WINDOWS\system32\Rabbit.exe (W32/Rabb.worm)
  • C:\WINDOWS\msconfig.inf (List of .EXE files to infect)
  • C:\WINDOWS\msconfig1.inf (List of .EXE files to infect)

The msexch400.dll file is injected and executed in the running process of Winlogon.exe (a default Windows service).

(There exist a msexch40.dll file which is a legitimate component of Windows)

It will then attempt to make copies of itself, and overwrite *.EXE files in the following hardcoded location(s):

  • C:\Program Files
  • D:\
  • E:\
  • F:\
  • G:\
  • H:\

A copy of Autorun.inf can be created at the root folder of each infected drive to automatically execute the worm. It may attempt to set the hidden bit in the attributes of these files. Executable files that had been replaced by W32/Rabb will bear this icon image:

The following registry key(s) are created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath" = "C:\WINDOWS\system32\JK.exe" (hardcoded pathname)

The following registry key(s) are deleted:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ {4D36E967-E325-11CE-BFC1-08002BE10318}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ {4D36E967-E325-11CE-BFC1-08002BE10318}

 

Symptoms

  • Presence of the mentioned file(s) and registry key(s).
  • Presence of files with the mentioned icon.

 

Method of Infection

 It can be propagated over removable media or mounted network drives.

Removal

All Users:
Use specified engine and DAT files for detection.

W32/Rabb.worm is a destructive worm, existing executable files may be overwritten and must be restored from backup.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

W32/Rabb.worm is a destructive worm that overwrites and replaces EXE files. It can also make copies onto removable media and mounted network drives.

Aliases

  • W32/RabbAttack.A.drp (Panda)
  • Worm.Win32.VB.ge (Kaspersky)

Characteristics

Characteristics -

W32/Rabb.worm is a destructive worm that overwrites and replaces executable *.EXE files. It can also make copies onto removable media and mounted network drives. As executable files are overwritten and not infected, affected *.EXE files cannot be repaired and must be restored from backup.

Upon execution, the worm drops one or more files in the following hardcoded pathname(s):

  • C:\WINDOWS\system32\JK.exe (W32/Rabb.worm)
  • C:\WINDOWS\system32\love.bat (W32/Rabb!bat)
  • C:\WINDOWS\system32\loveRabbit.bat (W32/Rabb!bat)
  • C:\WINDOWS\system32\loveRabbit.exe (W32/Rabb.worm)
  • C:\WINDOWS\system32\msexch400.dll (W32/Rabb.dll)
  • C:\WINDOWS\system32\Rabbit.exe (W32/Rabb.worm)
  • C:\WINDOWS\msconfig.inf (List of .EXE files to infect)
  • C:\WINDOWS\msconfig1.inf (List of .EXE files to infect)

The msexch400.dll file is injected and executed in the running process of Winlogon.exe (a default Windows service).

(There exist a msexch40.dll file which is a legitimate component of Windows)

It will then attempt to make copies of itself, and overwrite *.EXE files in the following hardcoded location(s):

  • C:\Program Files
  • D:\
  • E:\
  • F:\
  • G:\
  • H:\

A copy of Autorun.inf can be created at the root folder of each infected drive to automatically execute the worm. It may attempt to set the hidden bit in the attributes of these files. Executable files that had been replaced by W32/Rabb will bear this icon image:

The following registry key(s) are created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath" = "C:\WINDOWS\system32\JK.exe" (hardcoded pathname)

The following registry key(s) are deleted:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ {4D36E967-E325-11CE-BFC1-08002BE10318}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ {4D36E967-E325-11CE-BFC1-08002BE10318}

 

Symptoms

Symptoms -

  • Presence of the mentioned file(s) and registry key(s).
  • Presence of files with the mentioned icon.

 

Method of Infection

Method of Infection -

 It can be propagated over removable media or mounted network drives.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection.

W32/Rabb.worm is a destructive worm, existing executable files may be overwritten and must be restored from backup.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A