minimal-minimal

W32/Realor.worm

W32/Realor.worm

Threat Detail

  • Malware Type: Virus
  • Malware Sub-type: Internet Worm
  • Protection Added: 2006-11-14

W32/Realor.worm scans the infected machine for existing RealMedia (*.rmvb) files and insert a malicious external hyperlink. When these *.rmvb files are opened, the user's media player may load an external webpage containing an exploit using the preconfigured web browser (e.g. Internet Explorer).

 


Minimum Engine

5400.1158

File Length

Varies

Description Added

2006-11-14

Description Modified

2006-11-14

Malware Proliferation

fpo-ti-severity-legend logo-new-mcafee

W32/Realor.worm scans the infected machine for existing RealMedia (*.rmvb) files and insert a malicious external hyperlink. When these *.rmvb files are viewed, the user's media player may load an external webpage containing an exploit using the preconfigured web browser (e.g. Internet Explorer).

A command-line utility that is part of the Real Helix Producer software, is dropped and used by W32/Realor.worm for inserting a RealMedia event in *.rmvb files.

At the time of writing, these modified *.rmvb files opens a webpage hosted on:

  • krv(hidden).com

and this website was hosting a variant of Exploit-MS06-014 which can install a copy of W32/Lewor.a on systems vulnerable to this exploit. To the user, this website may just be displaying a harmless error message, but silently loads the exploit an a hidden IFRAME object.

 

140899-1
 

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

W32/Realor.worm scans the infected machine for existing RealMedia (*.rmvb) files and insert a malicious external hyperlink. When these *.rmvb files are viewed, the user's media player may load an external webpage containing an exploit using the preconfigured web browser (e.g. Internet Explorer).

The exploit may install a copy of W32/Realor.worm, W32/Lewor.a or other malware on vulnerable systems.

 

 

1) Presence of one or more of the following file(s):

  • %Windir%\System32\rmincon.exe (W32/Realor.worm)
  • %Windir%\System32\rmevents.exe (Real Helix Producer)
  • %Windir%\System32\rmevents(random).exe (Real Helix Producer)
  • %Windir%\System32\Tools\rmto3260.dll (Real Helix Producer)

(Real Helix Producer is a RealMedia editor which has its legitimate uses)

2) When RealPlayer is not installed on the infected machine, an error message box reporting the following file(s) missing:

  • pncrt.dll

3) Presence of the following Windows registry key(s):

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"rmicon" = "%Windir%\System32\rmincon.exe"

(Where %Windir% is the Windows folder, e.g. C:\Windows)

4) Unexpected lauching of unknown websites while viewing local *.rmvb files, such as:

  • krv(hidden).com