Aliases: WIN32/REMABL.A, Worm.Win32.Remabl, W32/Remabl, WORM_REMABL.A-1
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 16 Oct 2003
Damage: Low

Characteristics: W32.Remabl.Worm is a worm that infects all Windows systems. It attempts to spread through the local network. It may also have backdoor capabilities. The existence of the file shambl3r.exe is an indication that the worm may have infected your computer.

More details about W32.Remabl.Worm

W32.Remabl.Worm has one .dll file and two .exe files. It consists of the files: Shambl3r.exe, Sys.exe, and Python23.dll. Once the worm is run, it obtains network information by using the ipconfig command. It then uploads the information to a predetermined FTP site. It also creates the file Cnf.bat, which will run Sys.exe. This allows the author of the program to access command.com or cmd.exe on the infected computer using a remote computer. The author uses a predetermined username and password. The worm creates random IP addresses each time the worm is executed. It pings these IP addresses and connects to certain folders if a response is received. Afterwards, it copies Shaml3r.exe, Sys.exe and Python23.dll to those folders. It attempts to connect to other computers within the same network range as the randomly generated IP address.

The W32.Remabl.Worm software distributes threats to other computers. These threats are spread through P2P (peer-to-peer) file sharing programs. P2P programs allow users to share media files. The threats may easily be transmitted to together with these files. Computers that are connected to an infected machine may easily be infiltrated by the program. This application enters a computer when it is downloaded by other downloader programs that are already present on the user’s computer. They may also unknowingly be downloaded when the user accesses websites that are embedded with its codes.