Win32.Rexli.A@mm( W32/Rexli-A )
SYMPTOMS: - The presence of the following files: rexec.exe and link.exe in the System directory (usually C:\\Windows\\System or C:\\Winnt\\System32);- The presence of C:\\rapp.exe and rbatC.bat TECHNICAL DESCRIPTION: This is an Internet Worm written in Visual Basic 6. It spreads using the MS Outlook and mIRC.The worm comes as an e-mail attachment in the following form: Subject: Cool linki Body: Przesylam ci znaleziona baze danych linków. Jest tam duzo stron, których na pewno nie znasz :) Attachment: linki.exe The message text is written in Polish (where probably the author resides). When executed, the virus will post a false error message window containing the text: \"Error while loading At the first run, the worm initializes some registry keys in HKEY_CURRENT_USER\\Software\\VB and HKEY_CURRENT_USER\\Software\\VBA Settings\\Rax where it counts how many times it is executed on the system. The virus copies itself as rexec.exe and linki.exe and, in order to be executed at every restart, it modifies in win.ini in the [windows] section, the line Load=%systemdir%\\REXEC.EXE, where %systemdir% is the system directory. If the virus finds any version of mIRC installed, it will rewrite the file script.ini in order to be sent to all victim\'s chat partners. This script was probably modified by the author from the similar code created by VBS.LoveLetter to be spread using mIRC. Then, it scans all drives and it overwrites the .vbs files with a script that will run the file rexec.exe from the system directory. After this scanning, it will send infected e-mails to all contacts in the Outlook Address Book, using the same format described above. Removal instructions:
ANALYZED BY: Costin IonescuBitDefender Virus Researcher |