You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard

RaHack.BB

 
Threat LevelHigh threatDamageSevereDistributionNot widespread

Effects 

RaHack.BB has no destructive effects. Its main objective is to spread to other computers.

Infection strategy 

RaHack.BB creates the file URDVXC.EXE in the Windows system directory. This file is a copy of the worm.

Additionally, it creates copies of itself with random names in the following subfolders:

  • %user%\LOCAL SETTINGS\TEMPORARY INTERNET FILES of the Documents and Settings directory.
    where %user% is the logged on user.
  • COMMON FILES\MICROSOFT SHARED\STATIONERY of the Program Files directory.
  • COMMON FILES\SYSTEM\ADO of the Program Files directory.
  • MICROSOFT OFFICE\TEMPLATES\ACCESS of the Program Files directory.
  • MSN\MSNCOREFILES of the Program Files directory.
  • NETMEETING of the Program Files directory.
  • RESOURCEKIT of the Program Files directory.
  • HELP of the Windows directory.
  • HELP\TOURS of the Windows directory.
  • INETPUB\WWWROOT of the C: drive.

 

RaHack.BB modifies the files with HTM and HTML extension that it finds in the same directories where it creates copies of itself. This way, RaHack.BB is run whenever the user runs any HTM and HTML files of such directories.

 

RaHack.BB creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_MSWINDOWS
  • HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ MSWindows
  • HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Enum\ Root\ LEGACY_MSWINDOWS
  • HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ MSWindows
  • HKEY_CLASSES_ROOT\ CLSID\ {04F1A152-6964-1661-68F8-5589BC0F07BE}
    It creates an entry like the previous one with a random CLSID for each file with random name created.

Means of transmission 

RaHack.BB spreads across computer networks and through the remote control program Radmin.

1.- Transmission through the Radmin program.

RaHack.BB can affect computers with the program Radmin installed, taking advantage of the systems that have passwords typical or easy to guess.

 

2.- Transmission across networks.

  • If the affected computer belongs to a network, RaHack.BB attempts to access the network shared resources.
  • In order to do so, it uses passwords or user names that are typical or easy to guess.
  • If successful, RaHack.BB makes copies of itself to the shared resources.

Further Details  

RaHack.BB is 57,856 bytes in size.

>

>