Win32/Rasith [Threat Name] go to Threat

Win32/Rasith.A [Threat Variant Name]

Category worm
Size 262144 B
Detection created Oct 21, 2014
Detection database version 10596
Aliases Trojan.Win32.Fsysna.auzf (Kaspersky)
  Worm:Win32/Folxrun.A (Microsoft)
  TR/Folxrun.A (Avira)
  Win32.HLLW.Autoruner2.17750 (Dr.Web)
Short description

Win32/Rasith.A is a worm that spreads via shared folders and removable media.

Installation

When executed the worm copies itself in the following locations:

  • %temp%\­explorer.exe
  • %startup%\­msfold.exe

This causes the worm to be executed on every system start.


The worm creates the following files:

  • %temp%\­sajith_and_rasini.db
Spreading

The worm copies itself into the root folders of network and/or removable drives using the following name:

  • kabe.exe

The following file is created in the same folders:

  • kabe.bat (51 B, Win32/Rasith.A)
  • autorun.inf (186 B, INF/Autorun.gen)

Thus, the worm ensures it is started each time infected media is inserted into the computer.


The worm copies itself into the root folders of network and/or removable drives with the filename based on the name of an existing file or folder.

Payload information

After a certain time delay, the worm blocks access to operating system.


To regain access to the operating system the user is requested to comply with given conditions in exchange for a password/instructions.


When the correct password is entered the worm is deactivated.

Other information

The worm may create the text file:

  • %temp%\­i_love_you_rasini.db

The worm displays the following dialog box:

Please enable Javascript to ensure correct displaying of this content and refresh this page.