My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.MSNWorm.Rachel.A

LOW
LOW
28672 bytes
(N/A)

Symptoms

the presence of the HKLM\Software\Microsoft\Windows\CurrentVersion\Run\[Rachel] registry key;

Removal instructions:

  1. If you don't have BitDefender installed click here to download an evaluation version;

  2. Make sure that you have the latest updates using BitDefender Live!;

  3. Make the following changes in the windows registry:

    Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.

    1. Select Run... from Start, then type regedit and press Enter;

    2. Delete the following key:
      HKLM\Software\Microsoft\Windows\CurrentVersion\Run\[Rachel]

  4. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Rachel.A.

Analyzed By

Sorin Victor Dudea BitDefender Virus Researcher

Technical Description:

This virus is an Internet worm that spreads trough MSN Messenger intercepting MSN Messenger messages.

The worm is coming through MSN Messenger in the following format:





If the user accepts the download and executes the file Rachel.exe, the virus takes control and creates some registry key: HKLM\Software\MSNSPRD, where it keeps the already infected users, and other informations, and:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\[Rachel] with value %path%\Rachel.exe, where %path% is the path of downloaded executable file.

Because of that the virus will run itself at every restart, taking control of the users MSN Messanger. After creating those keys the virus will display the following error message:





and then waits for new MSN messages.

When a user sends a message to the infected user, the virus verifies if it already sent a copy to that user, and if not, it will send itself the same way it came on the current infected machine.

The virus registers every user where it tries to send itself in the following registry key:
HKLM\Software\MSNSPRD\USRRqstSnt

This virus will not be able to spread correctly because of an error in registering users. Because of this error, this virus has very few chances to spread.