Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:WORM/Rebhip.A.3001
Date discovered:22/06/2011
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:356.352 Bytes
MD5 checksum:5D39AFF39F79D959DA7AE13424CAF68D
VDF version:7.11.10.68 - Wednesday, June 22, 2011
IVDF version:7.11.10.68 - Wednesday, June 22, 2011

 General Aliases:
   •  Kaspersky: Backdoor.Win32.Ruskill.df
   •  TrendMicro: BKDR_RUSKILL.ITW
   •  Sophos: Mal/VB-YG


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows 7


Side effects:
   • Drops files
   • Registry modification

 Files It copies itself to the following location:
   • C:\directory\CyberGate\install\windosdateor.exe



The following files are created:

%TEMPDIR%\XxX.xXx This file contains collected information about the system.
%TEMPDIR%\UuU.uUu This file contains collected information about the system.

 Registry To each registry key one of the values is added in order to run the processes after reboot:

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "HKCU"="c:\directory\CyberGate\install\windosdateor.exe"

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
   Run]
   • "Policies"="c:\directory\CyberGate\install\windosdateor.exe"

  [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
   Run]
   • "Policies"="c:\directory\CyberGate\install\windosdateor.exe"

Description inserted by Andrei Ilie on Thursday, October 20, 2011
Description updated by Andrei Ilie on Monday, October 24, 2011

Back . . . .