This family of worms has multiple components that spread via removable drives and instant messaging. The worms can also let a remote malicious hacker to get access to your PC.

Microsoft security software detects and removes this threat.

This family of worms has multiple components that spread via removable drives and instant messaging.

The worms can also let a remote malicious hacker to get access to your PC.

Find out ways that malware can get on your PC.  

What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Disable Autorun

This threat tries to use the Windows Autorun function to spread via removable drives, like USB flash drives. You can disable Autorun to prevent worms from spreading:

Scan removable drives

Remember to scan any removable or portable drives. If you have Microsoft security software, see this topic on our software help page:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior


The family has two main components - a spreading component and a payload component.

The spreading component opens a File Explorer window in the folder it was run from.

The worm drops the payload component in the %TEMP% directory as file the file name <string>.PIF and runs it.

The payload component creates the folder recycler on your PC and copies itself to a random folder there:

  • c:\recycler\s-1-5-21-<Random Number>\<filename>.exe

For example:

  • c:\recycler\s-1-5-21-2752067127-3165661566-893007534-3655\glps.exe
  • c:\recycler\s-1-5-21-6979474019-8875095302-669511100-9326\winservices.exe
  • c:\recycler\s-1-5-21-5265140054-9693652985-668820870-8913\hd1.exe
  • c:\recycler\s-1-5-21-0614652817-4314771987-489633912-1051\winlogon.exe

It drops the file Desktop.ini, which is used to display the folder c:\recycler in Windows Explorer with a Recycle Bin icon.

It does to make the folder look like the recycle bin, so when you go to open what you think is the recycle bin, instead you'll run the worm.

It changes the registry entry HKCU\Software\Microsoft\Windows\CurrentVersion\Run so the worm runs each time you start your PC. It uses the same name for the service as the file it dropped.

The worm then injects its main payload code into the explorer.exe process.

Spreads via…

Removable drives

The spreading component of Win32/Rimecud sets up a device notification function, which tells the worm when a USB device is plugged in or removed from your PC.

When you plug a USB device in, the worm copies itself to the device, for example:

  • B:\vshost.exe

It also creates an autorun.inf file in the root folder of the device. The file has instructions to launch the malware automatically when the removable drive is connected to a PC with the Autorun feature turned on.

This is a common way for malware to spread. However, autorun.inf files on their own are not necessarily a sign of infection; they are also used by legitimate programs.

The payload component can also spread in this way. In this case, the worm copies itself to a removable drive and creates an autorun.inf file to run it, for example:

  • RECYCLER\autorun.exe
  • autorun.inf

When the drive in which the Win32/Rimecud file is accessed, the option to "Open folder to view files" is displayed when the drive is accessed (this is in addition to the legitimate option that is displayed if the Windows Autorun feature is turned on). One of these options displays the files in the drive using Windows Explorer (this is the legitimate option from Windows), while the other runs the malware (this is the malicious option), while also opening Windows Explorer.

Instant Messenger

The spreading component can spread in a variety of messaging applications, including the following:

  • AOL Instant Messenger
  • ICQ
  • Skype
  • Yahoo Messenger

It does this by looking for windows associated with the messaging application and clicking on menu items and buttons to paste and send an instant message to your contacts. The instant message contains a link to the malware.

The payload component can also be instructed to send links if the infected user has MSN messenger installed. It does this by redirecting the send and WSARecv APIs in the MSN messenger process to its own code. The worm then attempts to check for the initiation of a conversation and may paste messages specified by the attacker into conversations. This can include links to copies of the worm or other malware.


Allows backdoor access and control

The malware opens a UDP connection to a remote server on port 7006. In the wild we have observed the following remote hosts being contacted:


The malware can then be instructed to perform any of the following actions:

  • Check the version of the malware
  • Patch MSN Messenger to insert messages
  • Initiate/stop spreading via removable drives using the payload component
  • Initiate/stop flooding a remote host (causing a Denial of Service condition)
  • Initiate/stop scanning on the affected network for machines using VNC
  • Get the location of the following common Peer to Peer (P2P) File sharing programs, and download files to that location:
    • Ares
    • Bearshare
    • iMesh
    • Shareazza
    • Kazza
    • DC++
    • Emule
    • Emule Plus
    • Limewire
  • Steal passwords and sensitive data from protected storage saved by the Web Browser
  • Download and run arbitrary executable files to the %temp% directory
  • Download and run files/update itself
  • Download and run scripts or commands/direct to a remote host

Analysis by Ray Roberts and Marian Radu


Alerts from your security software may be the only symptom.


Alert level: Severe
This entry was first published on: Dec 14, 2009
This entry was updated on: Oct 13, 2014

This threat is also detected as:
  • Mariposa botnet (other)