McAfee > Theat Center > Virus Detail Page

Overview

Characteristics

---------- Updated on Aug 11, 2011--------------

File Information:

• MD5 - 9b2cf1dfbcba379b1f855b4deccbb40c
• SHA1 - ba3bd11f6fe0db108e59f409ed5abcd44fab4195

Aliases:

• TrendMicro- Mal_Palevo5
• F-Secure - Gen:Variant.Bredo.2
• Panda - Trj/Rimecud.a
• NOD32 -  a variant of Win32/Kryptik.BDR

Upon execution, the Trojan injects the malicious code into the running process "explorer.exe" and using that, it connects to the DNS "[REMOVED IP]" through the remote port 53000.

The following files have been added:

• %Userprofile%\%Appdata%\afd.exe [Detected as W32/Rimecud]

The following registry Values have been added:

• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\]
  “C:\Documents and Settings\\%userProfile%\Application Data\afd.exe” = "%Appdata%\afd.exe:*:Enabled:ldrsoft"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\]
  “C:\Documents and Settings\%userProfile%\Application Data\afd.exe” = "%Appdata%\afd.exe:*:Enabled:ldrsoft"

[Note: %Userprofile% - C:\Documents and Settings\[UserName]]

--Updated on July 06, 2011 ---

File Information

• MD5  -  9C0B79404F0B05166E425E6571DA85AF
• SHA  - 7EDDD517592CB29622B593D3D255D3C1E9A3ECE3

Aliases

• Kaspersky - P2P-Worm.Win32.Palevo.amrf
• Symantec - W32.SillyFDC
• Ikarus      - P2P-Worm.Win32.Palevo
• Microsoft - Trojan:Win32/Malagent

When executed the Worm injects itself with Explorer.exe and connects to the following site through a remote port 7008.

• Update[Removed]vc.com

The following registry key has been added to the system.

• HKEY_LOCAL_MACHINE \SOFTWARE\Classes\CLSID\{5542B3D4-E394-F9D0-E44B-688E7D3DF53B}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent
• HKEY_LOCAL_MACHINE\SOFTWARE\Licenses

The following registry value has been added.

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]
  “Taskman” = "%Systemdrive%\RECYCLER\S-1-5-21-9151140057-4166902364-019342130-6481\recycle.exe"

The above mentioned registry ensures that the Trojan registers itself as a service and execute upon every reboot.

• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5542B3D4-E394-F9D0-E44B-688E7D3DF53B}\]
  “InprocServer32\” = "%Windir%\system32\msvidctl.dll"

------ Updated on 23rd June, 2011 --------

The sample file usecure.exe which we received from field on execution, copies itself as msmxeng.exe at the following location:

* %RootDir%\RECYCLER\[ID]\msmxeng.exe

It adds the following registry entry:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Taskman = * %RootDir%\RECYCLER\[ID]\msmxeng.exe "

The above registry confirms that "msmxeng.exe" executes every time when windows starts.
As mentioned below, it is capable of propagation via removable drives.

It creates the following file:
* %RootDir%\RECYCLER\[ID]\Desktop.ini

It is also capable of spreading via MSN, and known P2P applications like BearShare, iMesh, Shareaza, Kazaa, DC++, eMule and LimeWire.
There may be traffic from infected machines on UDP port 44403 to following domains:

• 46.182.105.212

------ Updated on 21st June, 2011 --------

File Information –

• MD5   - bec439a4b7b4db4860281cad05f98843
• SHA1  - 142957d147f97c95957f4d16b223a7fbb8557fd2

• Comodo - TrojWare.Win32.Trojan.Agent.Gen
• Microsoft - Trojan:Win32/Terzib.
• ANOD32 - a variant of Win32/Agent.RUA
• Symantec - Backdoor.Locobad!gen

Upon execution, the Trojan copies itself into the below mentioned location and connects to the site activeupdate.bluecoat[removed].com to download other malicious files.

• %AppData%\vmware.exe

Also it creates the following startup entry, which executes the Trojan every time when windows starts.

• %UserProfile%\Start Menu\Programs\Startup\[space].lnk

Also it connects to the register.bluecoa[removed].com

Note : [%AppData% - C:\Documents and Settings\[User Name]\Application Data
%UserProfile% - C:\Documents and Settings\[User Name]]

---------

---------Updated on May 3rd, 2011---

File Information –

• MD5 - 7015da5b6f2a4d5f5327670fb4e83191
• SHA1 - 11001ee859e792358a16c32fe48cf19589522eac

Aliases –

• Kaspersky - Trojan.Win32.Agent2.crpo
• Microsoft - Trojan:Win32/Rotinom.B
• NOD32 - Win32/Agent.NEC
• Symantec - W32.Rotinom

"W32/Rimecud" is a worm that may propagate via removable drives or network shares. It uses the windows "Folder Icon" as its icon to trick the users in order to open it for an effective execution of the worm.

• %UserProfile%\Local Settings\Application Data\Start\update.exe
• [Removable Drive]:\FolderName.exe

[Note: Where "FolderName" is an existing folder name in the Removable Media]

The worm copies itself with the existing folder names and changes the attribute of the existing folders in order to hide them.

The above mentioned file "FolderName.exe" looks like folder, so when it is clicked to open, the Trojan gets executed at the background and at the same time it also opens the corresponding original folder for the user view.

The following registry values has been added

• HKEY_CURRENT_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\
  Startup = "%UserProfile%\Local Settings\Application Data\start"

The following registry values have been modified

• HKEY_CURRENT_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  Hidden = 0x00000002
• HKEY_CURRENT_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  HideFileExt = 0x00000001
• HKEY_CURRENT_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  ShowSuperHidden = 0x00000000
• HKEY_CURRENT_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  WebViewBarricade = 0x00000000

The above mentioned registries confirm that, the worm hides the file extension and prevents the compromised user to view the hidden files and folders.

The following Mutex object has been created to ensure only one instance of the worm is running at a time.

• LDLLMAIN

• %UserProfile%\Local Settings\Application Data\S-1-[varies]
• %UserProfile%\Local Settings\Application Data\S-1-[varies]\dmc
• %UserProfile%\Local Settings\Application Data\S-1-[varies]\tlsr
• %UserProfile%\Local Settings\Application Data\S-1-[varies]\Rotinom
• %UserProfile%\Local Settings\Application Data\start

[Where %UserProfile% is C:\Documents and Settings\[UserName]

-------

-------------Updated on April 1st, 2011---

File Information

• MD5  -  FC92B70761C5CD335E9967DA24D57462
• SHA  - 63BD914E61AA32576C47B3B53CC85EB24078AFB5

Aliases

• Symantec - W32.Pilleuz
• NOD32   - a variant of Win32/Injector.CCR
• Ikarus       - Virus.Win32.CeeInject
• Microsoft - VirTool:Win32/CeeInject.gen!A

Upon execution the Worm injects itself with Explorer.exe and connects to the site digita[Removed]ind.cn through a remote port 44425.

When executed this Worm copies itself into the following location:

• :[Removable Drive]:\webguard\webguard32.exe
• %Systemdrive%\RECYCLER\S-1-(Varies)\MsMxEng.exe

And drop the following files:

• %Userprofile%\Desktop\Desktop.ini
• :[Removable Drive]:\autorun.inf

And also drops autorun.inf file into the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the trojan file via the following command syntax.

• Ì?g?,.Ch?ÊIñáLj?@??è??eéªtlsè?dÃ??????<?N???î??öTm??ò?-ôM?vA???E?oCMý?}ä???Ð?Íx???ÊÖ@?äà?
• [autorun
• Ì?g?,.Ch?ÊIñáLj?@??è??eéªtlsè?dÃ??????<?N???î??öTm??ò?-ôM?vA???E?oCMý?}ä???Ð?Íx???ÊÖ@?äà?
• open=webguard/webguard32.exe
• icon=%SystemRoot%\system32\SHELL32.dll,4
• action=Open folder to view files using Windows Explorer
• USEAUToplay=1
• shell\\open\\\\command=webguard/webguard32.exe
• shell\\\explore\\command=webguard/webguard32.exe

The following registry value has been added.

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]
  “Taskman” = "%Userprofile%\Desktop\MsMxEng.exe"

The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon every boot.

Also this Worm injects with Explorer.exe and connects to the following IP address through a remote port 10021.

• 77.[Removed].10.71

This Worm opens a connection to a remote server on port 44425 and makes a connection from the following site.

• Freebies[Removed]unge.com

It is also capable of spreading via MSN, and known P2P applications as follows:

• BearShare
• iMesh
• Shareaza
• Kazaa
• DC++
• eMule
• LimeWire.

This Worm also performs the following actions:

• Steals sensitive data saved by browser
• Start/stop flooding a remote system.
• Downloads other malicious files and executes it.

[%UserProfile% is c:\Documents and Settings\Administrator\, %Temp% is C:\Documents and Settings\Administrator\Local Settings\Temp\ and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

----------Updated on March 04, 2010 -------------

File Information

• MD5  -  390522D933D6C62E35384A9683337157
• SHA  - D6DA6CDB793C28F4A759B56D568672B827A7BCC7

Aliases

• Kaspersky - IM-Worm.Win32.Yahos.xr
• NOD32    - Win32/Bflient.Y
• Ikarus        - IM-Worm.Win32.Yahos
• Microsoft - Trojan:Win32/Rimecud.A

Upon execution the Trojan connects to the following sites:

• Jebena.ana[Removed]olic.su through a remote port 4500.
• xm-load[Removed].com through a remote port 443.

When executed, the Trojan copies itself into the following location:

• %UserProfile%\xvlof.exe

And drop the following files:

• %Appdata%\xdoibern3b3hpdrgynxupjh3axczsxea2\svcnost.exe
• %Temp%\375.exe
• %UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\8WEL7ODI\bggnind[1].txt
• %UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\I65VJICG\server1[1].exe

The following registry value has been added.

• [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
  “mssend” = ""%Appdata%\xdoibern3b3hpdrgynxupjh3axczsxea2\svcnost.exe""

The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]
  “Taskman” = "%UserProfile%\xvlof.exe"

The Trojan registers itself as an authorized application with the Windows Firewall by adding the following values to the registry keys.

• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\]
  “C:\Documents and Settings\Administrator\Application Data\xdoibern3b3hpdrgynxupjh3axczsxea2\svcnost.exe” = "%Appdata%\xdoibern3b3hpdrgynxupjh3axczsxea2\svcnost.exe:*:Enabled:ldrsoft"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\]
  “C:\Documents and Settings\Administrator\Application Data\xdoibern3b3hpdrgynxupjh3axczsxea2\svcnost.exe” = "%Appdata%\xdoibern3b3hpdrgynxupjh3axczsxea2\svcnost.exe:*:Enabled:ldrsoft"

Also this Trojan connects to the IP address 91.207.[Removed].7 through a remote port 25.

[%UserProfile% is c:\Documents and Settings\Administrator\, %Temp% is C:\Documents and Settings\Administrator\Local Settings\Temp\ and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

----------- Updated on October 26, 2010--------------

The sample file sjlp.exe which we received from field on execution, copies itself as sjlp.exe at the following location:

• %RootDir% \Application Data\sjlp.exe

It adds the following registry entry:
•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
                Taskman = %RootDir%\ Application Data\sjlp.exe "

The above registry confirms that"sjlp.exe" executes every time when windows starts.
As mentioned below, it is capable of propagation via removable drives.

It creates the following file:
   * %RootDir%\RECYCLER\[ID]\Desktop.ini
 
It is also capable of spreading via MSN, and known P2P applications like BearShare, iMesh, Shareaza, Kazaa, DC++, eMule and LimeWire.
There may be traffic from infected machines on UDP port 1030 to following domains:

• jebena.[REMOVED]lic.su
• juice.los[REMOVED]la.org
• peer.[REMOVED]e.ru 
• teske.[REMOVED]ke.com

----------- Updated on October 12, 2010--------------

The sample file ooyi.exe which we received from field on execution, copies itself as ooyi.exe at the following location:

• %RootDir% \Application Data\ooyi.exe

It adds the following registry entry:

•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
                Taskman = %RootDir%\ Application Data\ooyi.exe "

The above registry confirms that"ooyi.exe" executes every time when windows starts.
As mentioned below, it is capable of propagation via removable drives.

It creates the following file:
   * %RootDir%\RECYCLER\[ID]\Desktop.ini
 
It is also capable of spreading via MSN, and known P2P applications like BearShare, iMesh, Shareaza, Kazaa, DC++, eMule and LimeWire.
There may be traffic from infected machines on UDP port 1030 to following domains: 

• prcolina.[REMOVED]onica.com
• kreten. [REMOVED]-ljepotice.ru
• sombrero. [REMOVED].net
• dzaba. [REMOVED].com
• 84.19. [REMOVED].194

---------- Updated on Aug 06, 2010--------------

File Information:

• MD5 - f5f4ec6d780715d713b7e085fd24447c
• SHA1 - f4507f91806aef7bdbbab1047b5ce4d5d6033e6c

Aliases:

• BitDefender - Worm.Generic.261149
• F-Secure - Worm.Generic.261149
• Kaspersky - P2P-Worm.Win32.Palevo.fuc
• NOD32 - a variant of Win32/Kryptik.ESG

Upon execution, the Trojan injects the malicious code into the running process "explorer.exe" and using that, it connects to the DNS "tinaivanovic.sexy-[removed].info" through the remote port 53000.

The following files have been added:

• %Userprofile%\ctfmon.exe [Detected as W32/Rimecud]
• %Userprofile%\Desktop.ini [Not a malicious file]

The following registry Values have been added:

[HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]
Taskman = "%Userprofile%\Desktop\ctfmon.exe"

---------

-- Update May 11, 2010 --

The sample file fix.exe which we received from field on execution, copies itself as hdav.exe at the following location:

• %RootDir%\RECYLCER\[ID]\hdav.exe (detected as W32/Rimecud)

It adds the following registry entry:

•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

                Taskman = %RootDir%\RECYLCER\[ID]\hdav.exe"

As mentioned below, it is capable of propagation via removable drives. It creates an autorun.inf file which contains following data:

[autorun]
open=FIREWALL\fix.exe
icon=%SystemRoot%\system32\SHELL32.dll,2
action=Open folder to view files
shell\open=Open
shell\open\command=FIREWALL\fix.exe
shell\open\default=1

It is also capable of spreading via MSN, and known P2P applications like BearShare, iMesh, Shareaza, Kazaa, DC++, eMule and LimeWire.

There may be traffic from infected machines on UDP port 10111 to following domains:

• arta.romail[Removed]est.info
• parta.q8[Removed]ll.net
• furious.devils[Removed].com

-- Update March 5, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: 

http://www.theregister.co.uk/2010/03/02/mariposa_botnet_takedown/

--

The worms often have such file name as nissan.exe, sysdate.exe, or dllrun32.exe. However, it is possible that it has other file names.
Upon execution, the worm copies itself to the following file:

    * %RootDir%\RECYLCER\[ID]\sysdate.exe
(where %RootDir% is the root letter of the drive. i.e - C:\)
   
It creates the following file:
   * %RootDir%\RECYLCER\[ID]\Desktop.ini
   
It adds the following registry key:

   * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman: "%RootDir%\RECYLCER\[ID]\sysdate.exe"

It injects malicious code into explorer.exe process. and Then terminates its own process.
It also injects another small code into another non-explorer process, which monitors the explorer.exe process.
If the infected explorer.exe crashes, non-explorer.exe process will restart the worm and reinject code into explorer.exe process.

The worm can spread via removal drives, or network shares. When a removal drive or network drive is presented, the malware creates a directory at the root of that drive, and drops the following two files:

    * %RootDir%\cache.tmp\tmp376 (the file name may be random)
    * %RootDir%\cache.tmp\Desktop.ini
   
The worm can also spread via MSN and P2P network.   
   
The worm attempts to download further malware from remote server.

The remote servers it connects with include:
    * Bfisb[removed].org
    * Butte[removed].es
    * San[removed]ica.com
    * Butte[removed].biz
    * Qwer[removed].es

The worm opens a backdoor, which enables remote attackers to perform the following actions:
    * DDOS
    * steal firefox password
    * steal IE password
    * download file
    * start P2P spread
    * start MSN spread
    * start USB spread
    * etc

Symptoms

• Presence of aforementioned registry entries and files.
• Presence of unexpected network connections.

Method of Infection

This malware can spread via removal drive, network shares, MSN, or peer-to-peer networks.

Removal

Use current engine and DAT files for detection and removal.

Reboot and rescan the infected machine after scanning.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants

N/A

All Information

Overview -

W32/Rimecud is the worm that can spread via removal drive, MSN, P2P network and network share.

Characteristics

Characteristics -

---------- Updated on Aug 11, 2011--------------

File Information:

• MD5 - 9b2cf1dfbcba379b1f855b4deccbb40c
• SHA1 - ba3bd11f6fe0db108e59f409ed5abcd44fab4195

Aliases:

• TrendMicro- Mal_Palevo5
• F-Secure - Gen:Variant.Bredo.2
• Panda - Trj/Rimecud.a
• NOD32 -  a variant of Win32/Kryptik.BDR

Upon execution, the Trojan injects the malicious code into the running process "explorer.exe" and using that, it connects to the DNS "[REMOVED IP]" through the remote port 53000.

The following files have been added:

• %Userprofile%\%Appdata%\afd.exe [Detected as W32/Rimecud]

The following registry Values have been added:

• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\]
  “C:\Documents and Settings\\%userProfile%\Application Data\afd.exe” = "%Appdata%\afd.exe:*:Enabled:ldrsoft"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\]
  “C:\Documents and Settings\%userProfile%\Application Data\afd.exe” = "%Appdata%\afd.exe:*:Enabled:ldrsoft"

[Note: %Userprofile% - C:\Documents and Settings\[UserName]]

--Updated on July 06, 2011 ---

File Information

• MD5  -  9C0B79404F0B05166E425E6571DA85AF
• SHA  - 7EDDD517592CB29622B593D3D255D3C1E9A3ECE3

Aliases

• Kaspersky - P2P-Worm.Win32.Palevo.amrf
• Symantec - W32.SillyFDC
• Ikarus      - P2P-Worm.Win32.Palevo
• Microsoft - Trojan:Win32/Malagent

When executed the Worm injects itself with Explorer.exe and connects to the following site through a remote port 7008.

• Update[Removed]vc.com

The following registry key has been added to the system.

• HKEY_LOCAL_MACHINE \SOFTWARE\Classes\CLSID\{5542B3D4-E394-F9D0-E44B-688E7D3DF53B}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent
• HKEY_LOCAL_MACHINE\SOFTWARE\Licenses

The following registry value has been added.

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]
  “Taskman” = "%Systemdrive%\RECYCLER\S-1-5-21-9151140057-4166902364-019342130-6481\recycle.exe"

The above mentioned registry ensures that the Trojan registers itself as a service and execute upon every reboot.

• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5542B3D4-E394-F9D0-E44B-688E7D3DF53B}\]
  “InprocServer32\” = "%Windir%\system32\msvidctl.dll"

------ Updated on 23rd June, 2011 --------

The sample file usecure.exe which we received from field on execution, copies itself as msmxeng.exe at the following location:

* %RootDir%\RECYCLER\[ID]\msmxeng.exe

It adds the following registry entry:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Taskman = * %RootDir%\RECYCLER\[ID]\msmxeng.exe "

The above registry confirms that "msmxeng.exe" executes every time when windows starts.
As mentioned below, it is capable of propagation via removable drives.

It creates the following file:
* %RootDir%\RECYCLER\[ID]\Desktop.ini

It is also capable of spreading via MSN, and known P2P applications like BearShare, iMesh, Shareaza, Kazaa, DC++, eMule and LimeWire.
There may be traffic from infected machines on UDP port 44403 to following domains:

• 46.182.105.212

------ Updated on 21st June, 2011 --------

File Information –

• MD5   - bec439a4b7b4db4860281cad05f98843
• SHA1  - 142957d147f97c95957f4d16b223a7fbb8557fd2

• Comodo - TrojWare.Win32.Trojan.Agent.Gen
• Microsoft - Trojan:Win32/Terzib.
• ANOD32 - a variant of Win32/Agent.RUA
• Symantec - Backdoor.Locobad!gen

Upon execution, the Trojan copies itself into the below mentioned location and connects to the site activeupdate.bluecoat[removed].com to download other malicious files.

• %AppData%\vmware.exe

Also it creates the following startup entry, which executes the Trojan every time when windows starts.

• %UserProfile%\Start Menu\Programs\Startup\[space].lnk

Also it connects to the register.bluecoa[removed].com

Note : [%AppData% - C:\Documents and Settings\[User Name]\Application Data
%UserProfile% - C:\Documents and Settings\[User Name]]

---------

---------Updated on May 3rd, 2011---

File Information –

• MD5 - 7015da5b6f2a4d5f5327670fb4e83191
• SHA1 - 11001ee859e792358a16c32fe48cf19589522eac

Aliases –

• Kaspersky - Trojan.Win32.Agent2.crpo
• Microsoft - Trojan:Win32/Rotinom.B
• NOD32 - Win32/Agent.NEC
• Symantec - W32.Rotinom

"W32/Rimecud" is a worm that may propagate via removable drives or network shares. It uses the windows "Folder Icon" as its icon to trick the users in order to open it for an effective execution of the worm.

• %UserProfile%\Local Settings\Application Data\Start\update.exe
• [Removable Drive]:\FolderName.exe

[Note: Where "FolderName" is an existing folder name in the Removable Media]

The worm copies itself with the existing folder names and changes the attribute of the existing folders in order to hide them.

The above mentioned file "FolderName.exe" looks like folder, so when it is clicked to open, the Trojan gets executed at the background and at the same time it also opens the corresponding original folder for the user view.

The following registry values has been added

• HKEY_CURRENT_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\
  Startup = "%UserProfile%\Local Settings\Application Data\start"

The following registry values have been modified

• HKEY_CURRENT_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  Hidden = 0x00000002
• HKEY_CURRENT_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  HideFileExt = 0x00000001
• HKEY_CURRENT_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  ShowSuperHidden = 0x00000000
• HKEY_CURRENT_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  WebViewBarricade = 0x00000000

The above mentioned registries confirm that, the worm hides the file extension and prevents the compromised user to view the hidden files and folders.

The following Mutex object has been created to ensure only one instance of the worm is running at a time.

• LDLLMAIN

• %UserProfile%\Local Settings\Application Data\S-1-[varies]
• %UserProfile%\Local Settings\Application Data\S-1-[varies]\dmc
• %UserProfile%\Local Settings\Application Data\S-1-[varies]\tlsr
• %UserProfile%\Local Settings\Application Data\S-1-[varies]\Rotinom
• %UserProfile%\Local Settings\Application Data\start

[Where %UserProfile% is C:\Documents and Settings\[UserName]

-------

-------------Updated on April 1st, 2011---

File Information

• MD5  -  FC92B70761C5CD335E9967DA24D57462
• SHA  - 63BD914E61AA32576C47B3B53CC85EB24078AFB5

Aliases

• Symantec - W32.Pilleuz
• NOD32   - a variant of Win32/Injector.CCR
• Ikarus       - Virus.Win32.CeeInject
• Microsoft - VirTool:Win32/CeeInject.gen!A

Upon execution the Worm injects itself with Explorer.exe and connects to the site digita[Removed]ind.cn through a remote port 44425.

When executed this Worm copies itself into the following location:

• :[Removable Drive]:\webguard\webguard32.exe
• %Systemdrive%\RECYCLER\S-1-(Varies)\MsMxEng.exe

And drop the following files:

• %Userprofile%\Desktop\Desktop.ini
• :[Removable Drive]:\autorun.inf

And also drops autorun.inf file into the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the trojan file via the following command syntax.

• Ì?g?,.Ch?ÊIñáLj?@??è??eéªtlsè?dÃ??????<?N???î??öTm??ò?-ôM?vA???E?oCMý?}ä???Ð?Íx???ÊÖ@?äà?
• [autorun
• Ì?g?,.Ch?ÊIñáLj?@??è??eéªtlsè?dÃ??????<?N???î??öTm??ò?-ôM?vA???E?oCMý?}ä???Ð?Íx???ÊÖ@?äà?
• open=webguard/webguard32.exe
• icon=%SystemRoot%\system32\SHELL32.dll,4
• action=Open folder to view files using Windows Explorer
• USEAUToplay=1
• shell\\open\\\\command=webguard/webguard32.exe
• shell\\\explore\\command=webguard/webguard32.exe

The following registry value has been added.

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]
  “Taskman” = "%Userprofile%\Desktop\MsMxEng.exe"

The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon every boot.

Also this Worm injects with Explorer.exe and connects to the following IP address through a remote port 10021.

• 77.[Removed].10.71

This Worm opens a connection to a remote server on port 44425 and makes a connection from the following site.

• Freebies[Removed]unge.com

It is also capable of spreading via MSN, and known P2P applications as follows:

• BearShare
• iMesh
• Shareaza
• Kazaa
• DC++
• eMule
• LimeWire.

This Worm also performs the following actions:

• Steals sensitive data saved by browser
• Start/stop flooding a remote system.
• Downloads other malicious files and executes it.

[%UserProfile% is c:\Documents and Settings\Administrator\, %Temp% is C:\Documents and Settings\Administrator\Local Settings\Temp\ and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

----------Updated on March 04, 2010 -------------

File Information

• MD5  -  390522D933D6C62E35384A9683337157
• SHA  - D6DA6CDB793C28F4A759B56D568672B827A7BCC7

Aliases

• Kaspersky - IM-Worm.Win32.Yahos.xr
• NOD32    - Win32/Bflient.Y
• Ikarus        - IM-Worm.Win32.Yahos
• Microsoft - Trojan:Win32/Rimecud.A

Upon execution the Trojan connects to the following sites:

• Jebena.ana[Removed]olic.su through a remote port 4500.
• xm-load[Removed].com through a remote port 443.

When executed, the Trojan copies itself into the following location:

• %UserProfile%\xvlof.exe

And drop the following files:

• %Appdata%\xdoibern3b3hpdrgynxupjh3axczsxea2\svcnost.exe
• %Temp%\375.exe
• %UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\8WEL7ODI\bggnind[1].txt
• %UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\I65VJICG\server1[1].exe

The following registry value has been added.

• [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
  “mssend” = ""%Appdata%\xdoibern3b3hpdrgynxupjh3axczsxea2\svcnost.exe""

The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]
  “Taskman” = "%UserProfile%\xvlof.exe"

The Trojan registers itself as an authorized application with the Windows Firewall by adding the following values to the registry keys.

• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\]
  “C:\Documents and Settings\Administrator\Application Data\xdoibern3b3hpdrgynxupjh3axczsxea2\svcnost.exe” = "%Appdata%\xdoibern3b3hpdrgynxupjh3axczsxea2\svcnost.exe:*:Enabled:ldrsoft"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\]
  “C:\Documents and Settings\Administrator\Application Data\xdoibern3b3hpdrgynxupjh3axczsxea2\svcnost.exe” = "%Appdata%\xdoibern3b3hpdrgynxupjh3axczsxea2\svcnost.exe:*:Enabled:ldrsoft"

Also this Trojan connects to the IP address 91.207.[Removed].7 through a remote port 25.

[%UserProfile% is c:\Documents and Settings\Administrator\, %Temp% is C:\Documents and Settings\Administrator\Local Settings\Temp\ and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

----------- Updated on October 26, 2010--------------

The sample file sjlp.exe which we received from field on execution, copies itself as sjlp.exe at the following location:

• %RootDir% \Application Data\sjlp.exe

It adds the following registry entry:
•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
                Taskman = %RootDir%\ Application Data\sjlp.exe "

The above registry confirms that"sjlp.exe" executes every time when windows starts.
As mentioned below, it is capable of propagation via removable drives.

It creates the following file:
   * %RootDir%\RECYCLER\[ID]\Desktop.ini
 
It is also capable of spreading via MSN, and known P2P applications like BearShare, iMesh, Shareaza, Kazaa, DC++, eMule and LimeWire.
There may be traffic from infected machines on UDP port 1030 to following domains:

• jebena.[REMOVED]lic.su
• juice.los[REMOVED]la.org
• peer.[REMOVED]e.ru 
• teske.[REMOVED]ke.com

----------- Updated on October 12, 2010--------------

The sample file ooyi.exe which we received from field on execution, copies itself as ooyi.exe at the following location:

• %RootDir% \Application Data\ooyi.exe

It adds the following registry entry:

•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
                Taskman = %RootDir%\ Application Data\ooyi.exe "

The above registry confirms that"ooyi.exe" executes every time when windows starts.
As mentioned below, it is capable of propagation via removable drives.

It creates the following file:
   * %RootDir%\RECYCLER\[ID]\Desktop.ini
 
It is also capable of spreading via MSN, and known P2P applications like BearShare, iMesh, Shareaza, Kazaa, DC++, eMule and LimeWire.
There may be traffic from infected machines on UDP port 1030 to following domains: 

• prcolina.[REMOVED]onica.com
• kreten. [REMOVED]-ljepotice.ru
• sombrero. [REMOVED].net
• dzaba. [REMOVED].com
• 84.19. [REMOVED].194

---------- Updated on Aug 06, 2010--------------

File Information:

• MD5 - f5f4ec6d780715d713b7e085fd24447c
• SHA1 - f4507f91806aef7bdbbab1047b5ce4d5d6033e6c

Aliases:

• BitDefender - Worm.Generic.261149
• F-Secure - Worm.Generic.261149
• Kaspersky - P2P-Worm.Win32.Palevo.fuc
• NOD32 - a variant of Win32/Kryptik.ESG

Upon execution, the Trojan injects the malicious code into the running process "explorer.exe" and using that, it connects to the DNS "tinaivanovic.sexy-[removed].info" through the remote port 53000.

The following files have been added:

• %Userprofile%\ctfmon.exe [Detected as W32/Rimecud]
• %Userprofile%\Desktop.ini [Not a malicious file]

The following registry Values have been added:

[HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]
Taskman = "%Userprofile%\Desktop\ctfmon.exe"

---------

-- Update May 11, 2010 --

The sample file fix.exe which we received from field on execution, copies itself as hdav.exe at the following location:

• %RootDir%\RECYLCER\[ID]\hdav.exe (detected as W32/Rimecud)

It adds the following registry entry:

•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

                Taskman = %RootDir%\RECYLCER\[ID]\hdav.exe"

As mentioned below, it is capable of propagation via removable drives. It creates an autorun.inf file which contains following data:

[autorun]
open=FIREWALL\fix.exe
icon=%SystemRoot%\system32\SHELL32.dll,2
action=Open folder to view files
shell\open=Open
shell\open\command=FIREWALL\fix.exe
shell\open\default=1

It is also capable of spreading via MSN, and known P2P applications like BearShare, iMesh, Shareaza, Kazaa, DC++, eMule and LimeWire.

There may be traffic from infected machines on UDP port 10111 to following domains:

• arta.romail[Removed]est.info
• parta.q8[Removed]ll.net
• furious.devils[Removed].com

-- Update March 5, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: 

http://www.theregister.co.uk/2010/03/02/mariposa_botnet_takedown/

--

The worms often have such file name as nissan.exe, sysdate.exe, or dllrun32.exe. However, it is possible that it has other file names.
Upon execution, the worm copies itself to the following file:

    * %RootDir%\RECYLCER\[ID]\sysdate.exe
(where %RootDir% is the root letter of the drive. i.e - C:\)
   
It creates the following file:
   * %RootDir%\RECYLCER\[ID]\Desktop.ini
   
It adds the following registry key:

   * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman: "%RootDir%\RECYLCER\[ID]\sysdate.exe"

It injects malicious code into explorer.exe process. and Then terminates its own process.
It also injects another small code into another non-explorer process, which monitors the explorer.exe process.
If the infected explorer.exe crashes, non-explorer.exe process will restart the worm and reinject code into explorer.exe process.

The worm can spread via removal drives, or network shares. When a removal drive or network drive is presented, the malware creates a directory at the root of that drive, and drops the following two files:

    * %RootDir%\cache.tmp\tmp376 (the file name may be random)
    * %RootDir%\cache.tmp\Desktop.ini
   
The worm can also spread via MSN and P2P network.   
   
The worm attempts to download further malware from remote server.

The remote servers it connects with include:
    * Bfisb[removed].org
    * Butte[removed].es
    * San[removed]ica.com
    * Butte[removed].biz
    * Qwer[removed].es

The worm opens a backdoor, which enables remote attackers to perform the following actions:
    * DDOS
    * steal firefox password
    * steal IE password
    * download file
    * start P2P spread
    * start MSN spread
    * start USB spread
    * etc

Symptoms

Symptoms -

• Presence of aforementioned registry entries and files.
• Presence of unexpected network connections.

Method of Infection

Method of Infection -

This malware can spread via removal drive, network shares, MSN, or peer-to-peer networks.

Removal -

Removal -

Use current engine and DAT files for detection and removal.

Reboot and rescan the infected machine after scanning.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants -

N/A