Win32/Rasith [Threat Name] go to Threat
Win32/Rasith.A [Threat Variant Name]
Category | worm |
Size | 262144 B |
Detection created | Oct 21, 2014 |
Detection database version | 10596 |
Aliases | Trojan.Win32.Fsysna.auzf (Kaspersky) |
Worm:Win32/Folxrun.A (Microsoft) | |
TR/Folxrun.A (Avira) | |
Win32.HLLW.Autoruner2.17750 (Dr.Web) |
Short description
Win32/Rasith.A is a worm that spreads via shared folders and removable media.
Installation
When executed the worm copies itself in the following locations:
- %temp%\explorer.exe
- %startup%\msfold.exe
This causes the worm to be executed on every system start.
The worm creates the following files:
- %temp%\sajith_and_rasini.db
Spreading
The worm copies itself into the root folders of network and/or removable drives using the following name:
- kabe.exe
The following file is created in the same folders:
- kabe.bat (51 B, Win32/Rasith.A)
- autorun.inf (186 B, INF/Autorun.gen)
Thus, the worm ensures it is started each time infected media is inserted into the computer.
The worm copies itself into the root folders of network and/or removable drives with the filename based on the name of an existing file or folder.
Payload information
After a certain time delay, the worm blocks access to operating system.
To regain access to the operating system the user is requested to comply with given conditions in exchange for a password/instructions.
When the correct password is entered the worm is deactivated.
Other information
The worm may create the text file:
- %temp%\i_love_you_rasini.db
The worm displays the following dialog box: