The family has two main components - a spreading component and a payload component.
The spreading component opens a File Explorer window in the folder it was run from.
The worm drops the payload component in the %TEMP% directory as file the file name <string>.PIF and runs it.
The payload component creates the folder recycler on your PC and copies itself to a random folder there:
It drops the file Desktop.ini, which is used to display the folder c:\recycler in Windows Explorer with a Recycle Bin icon.
It does to make the folder look like the recycle bin, so when you go to open what you think is the recycle bin, instead you'll run the worm.
It changes the registry entry HKCU\Software\Microsoft\Windows\CurrentVersion\Run so the worm runs each time you start your PC. It uses the same name for the service as the file it dropped.
The worm then injects its main payload code into the explorer.exe process.
The spreading component of Win32/Rimecud sets up a device notification function, which tells the worm when a USB device is plugged in or removed from your PC.
When you plug a USB device in, the worm copies itself to the device, for example:
It also creates an autorun.inf file in the root folder of the device. The file has instructions to launch the malware automatically when the removable drive is connected to a PC with the Autorun feature turned on.
This is a common way for malware to spread. However, autorun.inf files on their own are not necessarily a sign of infection; they are also used by legitimate programs.
The payload component can also spread in this way. In this case, the worm copies itself to a removable drive and creates an autorun.inf file to run it, for example:
When the drive in which the Win32/Rimecud file is accessed, the option to "Open folder to view files" is displayed when the drive is accessed (this is in addition to the legitimate option that is displayed if the Windows Autorun feature is turned on). One of these options displays the files in the drive using Windows Explorer (this is the legitimate option from Windows), while the other runs the malware (this is the malicious option), while also opening Windows Explorer.
The spreading component can spread in a variety of messaging applications, including the following:
- AOL Instant Messenger
- Yahoo Messenger
It does this by looking for windows associated with the messaging application and clicking on menu items and buttons to paste and send an instant message to your contacts. The instant message contains a link to the malware.
The payload component can also be instructed to send links if the infected user has MSN messenger installed. It does this by redirecting the send and WSARecv APIs in the MSN messenger process to its own code. The worm then attempts to check for the initiation of a conversation and may paste messages specified by the attacker into conversations. This can include links to copies of the worm or other malware.
Allows backdoor access and control
The malware opens a UDP connection to a remote server on port 7006. In the wild we have observed the following remote hosts being contacted:
The malware can then be instructed to perform any of the following actions:
- Check the version of the malware
- Patch MSN Messenger to insert messages
- Initiate/stop spreading via removable drives using the payload component
- Initiate/stop flooding a remote host (causing a Denial of Service condition)
- Initiate/stop scanning on the affected network for machines using VNC
- Get the location of the following common Peer to Peer (P2P) File sharing programs, and download files to that location:
- Steal passwords and sensitive data from protected storage saved by the Web Browser
- Download and run arbitrary executable files to the %temp% directory
- Download and run files/update itself
- Download and run scripts or commands/direct to a remote host
Analysis by Ray Roberts and Marian Radu