Rubble Worm

Original issue date: July 24, 2007

It has been observed that Worm named Rubble is spreading in the
wild which scans local and removable drives of a system for the file of any extension.It steals the name of the scanned files for malicious purpose and overwrites them with its own copy and rename their extension to exe.

The worm overwrites important system files such as ntldr which is important for System startup, which prevent infected system from rebooting.

Upon execution, the worm

• Copies itself to location
  <System>\win32.exe
  
• Creates following registry entry to run win32.exe on every system startup:
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  Load
  <System>\win32.exe
  

Users are advised to implement following countermeasures:

• Keep up-to-date patches and fixes on the operating system
  and application software.
• Keep up-to-date Antivirus and AntiSpyware signatures.

References

http://www.sophos.com/security/blog/2007/07/386.html

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003