Threat behavior
Worm:Win32/Rimecud.A is a worm that spreads by copying itself to removable drives, messenger and peer-to-peer file sharing networks. It also contains backdoor functionality that allows unauthorized access and control of an affected machine. It is dropped and executed by TrojanDropper:Win32/Autorun.GR. In the wild,
TrojanDropper:Win32/Autorun.GR has been distributed inside a ZIP archive called 'christmas.zip'.
Installation
When executed, TrojanDropper:Win32/Autorun.GR drops two files into the Temp directory:
It then displays the JPEG and runs the worm.
It has been distributed inside a ZIP file called christmas.zip. The name of the dropper inside the ZIP is “happy_christmas.jpg(150 x 0xFF).scr” There are 150 copies of the character '0xFF' between the .jpg and .scr extensions. This character appears like a space in most programs, including Explorer.
Worm:Win32/Rimecud.A can be ordered, via backdoor commands, to send URLs via Windows Live Messenger, so it is likely that this feature was used to distribute the dropper.
Analysis by Hamish O'Dea
Prevention