Aliases: Troj/Rewin, Trojan.Win32.Rewin, Rewin Trojan, TROJ_REWIN, Trojan.Win32.Rewin
Variants: N/A

Classification: Malware
Category: Trojan Horse

Status: Active & Spreading
Spreading: N/A
Geographical info: North America
Removal: N/A
Platform: W32
Discovered: 12 Jul 2002
Damage: Low

Characteristics: W32.Rewin is a Trojan horse that infects Windows systems. The Trojan horse was designed to spread through floppy disks. This Trojan deletes specific files from an infected computer. It is written in the Microsoft Visual Basic (VB) programming language. Once detected, it must be removed immediately.

More details about W32.Rewin

When W32.Rewin is executed, it copies itself as A:\Kernel.exe, C:\%windir%\Winrep.com, and C:\%system%\Dialer.com. It then adds values to the registry to ensure that it loads every time Windows starts. It creates the text file C:\Hackers.txt. This file is not viral and must be deleted manually if it is infected with the Trojan W32.Rewin. The Trojan then attempts to delete all files in the following folders and drives: C:\Archivos de programa, C:\Mis documentos, C:\Program Files, and Drives D, E, F, G, and H. The Trojan has to be removed from the system as early as possible before it causes major damage to the infected computer. It can be removed by using an updated antivirus program. The threat can be removed in two ways: manual removal and automatic removal.

The W32.Rewin software places its files in the system. A copy is saved as an executable file. It may be located in the Windows or System directory. It also creates a DLL module. Both files are added to the system registry. The .exe file is registered as a startup program. This allows it to run once the system is started. The W32.Rewin program uses the resources of the Internet Explorer application to connect to a remote server. It will then begin to download files into the system without the user’s consent.