Content

W32/Rimecud

Type
Virus
SubType
Win32
Discovery Date
10/07/2009
Length
various
Minimum DAT
5764 (10/07/2009)
Updated DAT
6058 (07/29/2010)
Minimum Engine
5.3.00
Description Added
10/07/2009
Description Modified
05/11/2010 8:03 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update May 11, 2010 --

The sample file fix.exe which we received from field on execution, copies itself as hdav.exe at the following location:

  • %RootDir%\RECYLCER\[ID]\hdav.exe (detected as W32/Rimecud)

It adds the following registry entry:

  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

                Taskman = %RootDir%\RECYLCER\[ID]\hdav.exe"

As mentioned below, it is capable of propagation via removable drives. It creates an autorun.inf file which contains following data:

[autorun]
open=FIREWALL\fix.exe
icon=%SystemRoot%\system32\SHELL32.dll,2
action=Open folder to view files
shell\open=Open
shell\open\command=FIREWALL\fix.exe
shell\open\default=1

It is also capable of spreading via MSN, and known P2P applications like BearShare, iMesh, Shareaza, Kazaa, DC++, eMule and LimeWire.

There may be traffic from infected machines on UDP port 10111 to following domains:

  • arta.romail[Removed]est.info
  • parta.q8[Removed]ll.net
  • furious.devils[Removed].com

-- Update March 5, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: 

http://www.theregister.co.uk/2010/03/02/mariposa_botnet_takedown/

--

The worms often have such file name as nissan.exe, sysdate.exe, or dllrun32.exe. However, it is possible that it has other file names.
Upon execution, the worm copies itself to the following file:

    * %RootDir%\RECYLCER\[ID]\sysdate.exe
(where %RootDir% is the root letter of the drive. i.e - C:\)
   
It creates the following file:
   * %RootDir%\RECYLCER\[ID]\Desktop.ini
   
It adds the following registry key:

   * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman: "%RootDir%\RECYLCER\[ID]\sysdate.exe"

It injects malicious code into explorer.exe process. and Then terminates its own process.
It also injects another small code into another non-explorer process, which monitors the explorer.exe process.
If the infected explorer.exe crashes, non-explorer.exe process will restart the worm and reinject code into explorer.exe process.

The worm can spread via removal drives, or network shares. When a removal drive or network drive is presented, the malware creates a directory at the root of that drive, and drops the following two files:

    * %RootDir%\cache.tmp\tmp376 (the file name may be random)
    * %RootDir%\cache.tmp\Desktop.ini
   
The worm can also spread via MSN and P2P network.   
   
The worm attempts to download further malware from remote server.

The remote servers it connects with include:
    * Bfisb[removed].org
    * Butte[removed].es
    * San[removed]ica.com
    * Butte[removed].biz
    * Qwer[removed].es


The worm opens a backdoor, which enables remote attackers to perform the following actions:
    * DDOS
    * steal firefox password
    * steal IE password
    * download file
    * start P2P spread
    * start MSN spread
    * start USB spread
    * etc

Symptoms

  • Presence of aforementioned registry entries and files.
  • Presence of unexpected network connections.

Method of Infection

This malware can spread via removal drive, network shares, MSN, or peer-to-peer networks.

Removal

Use current engine and DAT files for detection and removal.

Reboot and rescan the infected machine after scanning.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants

    N/A

All Information

Overview -

W32/Rimecud is the worm that can spread via removal drive, MSN, P2P network and network share.

Characteristics

Characteristics -

-- Update May 11, 2010 --

The sample file fix.exe which we received from field on execution, copies itself as hdav.exe at the following location:

  • %RootDir%\RECYLCER\[ID]\hdav.exe (detected as W32/Rimecud)

It adds the following registry entry:

  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

                Taskman = %RootDir%\RECYLCER\[ID]\hdav.exe"

As mentioned below, it is capable of propagation via removable drives. It creates an autorun.inf file which contains following data:

[autorun]
open=FIREWALL\fix.exe
icon=%SystemRoot%\system32\SHELL32.dll,2
action=Open folder to view files
shell\open=Open
shell\open\command=FIREWALL\fix.exe
shell\open\default=1

It is also capable of spreading via MSN, and known P2P applications like BearShare, iMesh, Shareaza, Kazaa, DC++, eMule and LimeWire.

There may be traffic from infected machines on UDP port 10111 to following domains:

  • arta.romail[Removed]est.info
  • parta.q8[Removed]ll.net
  • furious.devils[Removed].com

-- Update March 5, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: 

http://www.theregister.co.uk/2010/03/02/mariposa_botnet_takedown/

--

The worms often have such file name as nissan.exe, sysdate.exe, or dllrun32.exe. However, it is possible that it has other file names.
Upon execution, the worm copies itself to the following file:

    * %RootDir%\RECYLCER\[ID]\sysdate.exe
(where %RootDir% is the root letter of the drive. i.e - C:\)
   
It creates the following file:
   * %RootDir%\RECYLCER\[ID]\Desktop.ini
   
It adds the following registry key:

   * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman: "%RootDir%\RECYLCER\[ID]\sysdate.exe"

It injects malicious code into explorer.exe process. and Then terminates its own process.
It also injects another small code into another non-explorer process, which monitors the explorer.exe process.
If the infected explorer.exe crashes, non-explorer.exe process will restart the worm and reinject code into explorer.exe process.

The worm can spread via removal drives, or network shares. When a removal drive or network drive is presented, the malware creates a directory at the root of that drive, and drops the following two files:

    * %RootDir%\cache.tmp\tmp376 (the file name may be random)
    * %RootDir%\cache.tmp\Desktop.ini
   
The worm can also spread via MSN and P2P network.   
   
The worm attempts to download further malware from remote server.

The remote servers it connects with include:
    * Bfisb[removed].org
    * Butte[removed].es
    * San[removed]ica.com
    * Butte[removed].biz
    * Qwer[removed].es


The worm opens a backdoor, which enables remote attackers to perform the following actions:
    * DDOS
    * steal firefox password
    * steal IE password
    * download file
    * start P2P spread
    * start MSN spread
    * start USB spread
    * etc

Symptoms

Symptoms -

  • Presence of aforementioned registry entries and files.
  • Presence of unexpected network connections.

Method of Infection

Method of Infection -

This malware can spread via removal drive, network shares, MSN, or peer-to-peer networks.

Removal -

Removal -

Use current engine and DAT files for detection and removal.

Reboot and rescan the infected machine after scanning.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants -

    N/A