BCDBOOT.EXE is worm Rebhip

September 1, 2011 by NightWatcher
Filed under: Worm 
: Solved!

You should Download Removal Tool here...

The file BCDBOOT.EXE is a computer worm.
The worm BCDBOOT.EXE is a self-replicating malicious program,
which uses a computer network to send copies of itself to other computers.
You must fix the BCDBOOT.EXE problem as soon as possible!
Delete the file BCDBOOT.EXE from all infected computers in your network.
Set up your network firewall against BCDBOOT.EXE intervention.

Malware Analysis of BCDBOOT.EXE
Full path on a computer: %Program Files%\Microsoft Corporation\bcdboot.exe

Detected by UnHackMe:

Item Name: Policies
Author: Microsoft Corporation
Related File: %PROGRAM FILES%\MICROSOFT CORPORATION\BCDBOOT.EXE
Type: Explorer Run

Item Name: {S3V21DS2-N1XI-YHD2-NPEP-V4U06385636N}
Author:
Related File: %PROGRAM FILES%\MICROSOFT CORPORATION\BCDBOOT.EXE
Type: ActiveSetup

Item Name: {UQ671J03-67B6-HS15-8862-52C0177MNL74}
Author: Microsoft Corporation
Related File: %PROGRAM FILES%\MICROSOFT CORPORATION\BCDBOOT.EXE
Type: ActiveSetup

Item Name: HKCU
Author: Microsoft Corporation
Related File: %PROGRAM FILES%\MICROSOFT CORPORATION\BCDBOOT.EXE
Type: Registry Run

Item Name: bcdboot.exe
Author: Microsoft Corporation
Related File: %STARTUP%\BCDBOOT.EXE
Type: Startup Folder

Removal Results: Success
Number of reboot: 1

BCDBOOT.EXE is known as:

Trojan.Stealer, Virus.Dracur, Worm.Rebhip

BCDBOOT.EXE hash:

  • MD5: d4bfc39f4f0fbcf66b07ba7e01b21b9f
  • SHA1: bf7adc3ba8bcad4cc32befa387eb1ddeaaa74ebc
How to quickly detect BCDBOOT.EXE presence? 

Registry:
  • HKLM\Software\Microsoft\Active Setup\Installed Components\{S3V21DS2-N1XI-YHD2-NPEP-V4U06385636N}\StubPath: “%Program Files%\Microsoft Corporation\bcdboot.exe”
  • HKLM\Software\Microsoft\Active Setup\Installed Components\{UQ671J03-67B6-HS15-8862-52C0177MNL74}\StubPath: “%Program Files%\Microsoft Corporation\bcdboot.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\Policies: “%Program Files%\Microsoft Corporation\bcdboot.exe”
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies: “%Program Files%\Microsoft Corporation\bcdboot.exe”
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\HKCU: “%Program Files%\Microsoft Corporation\bcdboot.exe”
Folders:
  • %Common Appdata%\{24036256-BFDB-4CD3-BE8A-A3D6160F2E16}
  • %Program Files%\Microsoft Corporation
Files:
  • %Appdata%\Administratorv1.18.0.vbs
  • %Appdata%\Administratorv1.18.0log.dat
  • %Appdata%\TuneUpUtilities2011_en-US.exe
  • %Appdata%\winloader.exe
  • %Temp%\12267.dmp
  • %Temp%\1829_appcompat.txt
  • %Temp%\bcdboot.exe
  • %Temp%\downloaded.exe
  • %Startup%\bcdboot.exe
  • %Common Appdata%\{24036256-BFDB-4CD3-BE8A-A3D6160F2E16}\{D3742F82-1C1A-4DCC-ABBD-0E831C0185CC}.msi
  • %Program Files%\Microsoft Corporation\bcdboot.exe


Recommended: UnHackMe anti-rootkit and anti-malware

Premium software: RegRun Security Suite (Good choice for removal and protection)

Written by

Malware Hunter.

Comments

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.