1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Home
  2. Security
  3. Security Lab
  4. Latest Threats
  5. Virus Descriptions
  6. Worm:W32/Revois

Worm:W32/Revois

Name : Worm:W32/Revois
Detection Names : Win32.Worm.VB.NVA
Trojan-Downloader.Win32.VB.eex
Aliases : Worm:Win32/VB.AT (Microsoft)
Win32.Worm.VB.NVA (Other)
Category:Malware
Type:Worm
Platform:W32

Summary

A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.

Details


File System Changes
Creates these files:

  • Autorun.inf
  • C:\ntldr~6
  • C:\ntldr~8
  • C:\RECYCLEP\Pagefile.exe (hidden)
  • %windir%\regedt32.sys
  • %windir%\Sysinf.bat
  • %windir%\Help\HelpCat.exe
  • %windir%\system\KavUpda.exe
  • %windir%\system32\Option.bat
  • %Documents and Settings\Default User\Templates\excel.exe
  • %Documents and Settings\Default User\Templates\excel4.exe
  • %Documents and Settings\Default User\Templates\winword.exe
  • %windir%\system32\ExceRes
  • %windir%\system32\WordRes



Registry Modifications
Creates these keys:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
    "CheckedValue"=dword:00000000
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "NoDriveTypeAutoRun"=dword:b5
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "HideFileExt"=dword:00000001
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "DisallowRun"=dword:00000001
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]
    "1"="avp.exe"
    "2"="RfwMain.exe"
    "3"="Rfwsrv.exe"
    "4"="RavMoD.exe"
    "5"="CCenter.exe"
    "6"="RavMon.exe"
    "7"="RavStub.exe"
    "8"="RavService.exe"
    "9"="Rav.exe"
    "10"="rfwcfg.exe"
    "11"="KPFW32.EXE"
    "12"="KPFW32X.EXE"
    "13"="KAVPFW.EXE"
    "14"="KAV32.EXE"
    "15"="KAVStart.EXE"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "Hidden"=dword:00000002
    "SuperHidden"=dword:00000001
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe]
    "Debugger"="D:\\RECYCLER\\????8.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe]
    "Debugger"="D:\\RECYCLER\\????8.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwsrv.exe]
    "Debugger"="D:\\RECYCLER\\????8.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMoD.exe]
    "Debugger"="D:\\RECYCLER\\????8.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]
    "Debugger"="D:\\RECYCLER\\????8.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe]
    "Debugger"="D:\\RECYCLER\\????8.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe]
    "Debugger"="D:\\RECYCLER\\????8.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe]
    "Debugger"="D:\\RECYCLER\\????8.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.EXE]
    "Debugger"="D:\\RECYCLER\\????8.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe]
    "Debugger"="D:\\RECYCLER\\????8.exe"


Additional Details

Upon execution of Worm:W32/Revois, the files detailed above are created.

The worm also makes a variety of Windows Registry amendments, some of which prevent certain security programs from running.