Trojan:Win32/Rimecud.A copies itself to c:\documents and settings\administrator\application data\ohydy.exe.
The malware modifies the following registry entries to ensure that its copy executes at each Windows start:
Adds value: "Taskman"
With data: "c:\documents and settings\administrator\application data\ohydy.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
The malware utilizes code injection in order to hinder detection and removal. When Trojan:Win32/Rimecud.A executes, it may inject code into running processes, including the following, for example:
This malware description was produced and published using our automated analysis system's examination of file SHA1 2fd0085228af699ce884310216a6112543bae995.