My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Rexli.A@mm

HIGH
MEDIUM
~53248 bytes
(W32/Rexli-A)

Symptoms

- The presence of the following files: rexec.exe and link.exe in the System directory (usually C:\Windows\System or C:\Winnt\System32);
- The presence of C:\rapp.exe and rbatC.bat

Removal instructions:

  1. If you don't have BitDefender installed click here to download an evaluation version;

  2. Make sure that you have the latest updates using BitDefender Live!;

  3. Restore the Load=%systemdir%\REXEC.EXE, (where %systemdir% is the system directory) in the [windows] section of the win.ini file to the default value or to Load=.

  4. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Rexli.A@mm.

Analyzed By

Costin Ionescu BitDefender Virus Researcher

Technical Description:

This is an Internet Worm written in Visual Basic 6. It spreads using the MS Outlook and mIRC.

The worm comes as an e-mail attachment in the following form:

Subject: Cool linki
Body: Przesylam ci znaleziona baze danych linków. Jest tam duzo stron, których na pewno nie znasz :)

Attachment: linki.exe
The message text is written in Polish (where probably the author resides).

When executed, the virus will post a false error message window containing the text:
"Error while loading " where is the executable name (usually, the file is linki.exe).

At the first run, the worm initializes some registry keys in
HKEY_CURRENT_USER\Software\VB and HKEY_CURRENT_USER\Software\VBA Settings\Rax where it counts how many times it is executed on the system.

The virus copies itself as rexec.exe and linki.exe and, in order to be executed at every restart, it modifies in win.ini in the [windows] section, the line Load=%systemdir%\REXEC.EXE, where %systemdir% is the system directory.


If the virus finds any version of mIRC installed, it will rewrite the file script.ini in order to be sent to all victim's chat partners. This script was probably modified by the author from the similar code created by VBS.LoveLetter to be spread using mIRC.

Then, it scans all drives and it overwrites the .vbs files with a script that will run the file rexec.exe from the system directory. After this scanning, it will send infected e-mails to all contacts in the Outlook Address Book, using the same format described above.