Follow:

You have been re-routed to the Worm:Win32/Rimecud.B write up because Worm%3aWin32%2fRimecud.B has been renamed to Worm:Win32/Rimecud.B
 

Worm:Win32/Rimecud.B


Worm:Win32/Rimecud is a family of worms with multiple components that spreads via removable drives and instant messaging. It also contains backdoor functionality that allows unauthorized access to an affected machine.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.
Disable Autorun functionality
Worm:Win32/Rimecud.B attempts to spread via removable drives on computers that support Autorun functionality. This is a particularly common method of spreading for many current malware families. For information on disabling Autorun functionality, please see the following article:

Threat behavior

Worm:Win32/Rimecud is a family of worms with multiple components that spreads via removable drives and instant messaging. It also contains backdoor functionality that allows unauthorized access to an affected machine.
Installation
Win32/Rimecud utilizes two main components - a spreading component and a payload component.
Worm:Win32/Rimecud.B is a detection of the payload component.
 
When executed, Rimecud's spreading component opens an Explorer window in the directory it was executed from. The worm then drops the payload component in the %Temp% directory as <string>.PIF and executes it.
 
When executed the payload component copies itself to the following location:
  • c:\recycler\s-1-5-21-<Random Number>\<filename>.exe
For example:
  • c:\recycler\s-1-5-21-2752067127-3165661566-893007534-3655\glps.exe
    c:\recycler\s-1-5-21-6979474019-8875095302-669511100-9326\winservices.exe
    c:\recycler\s-1-5-21-5265140054-9693652985-668820870-8913\hd1.exe
    c:\recycler\s-1-5-21-0614652817-4314771987-489633912-1051\winlogon.exe
 
It then creates an associated registry entry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run to ensure execution at each windows start.
 
The worm then injects its main payload code into the "explorer.exe" process.
Spreads via…
Removable drives
The spreading component of Win32/Rimecud sets up a device notification function, which gets called when a USB device is plugged in or removed from the system.
 
If found the worm copies itself to the root directory of the located drive and creates an autorun.inf file to execute the copy. When the removable or networked drive is accessed from another machine supporting the Autorun feature, the malware is launched automatically. For example, it may create the following files:
 
  • B:\vshost.exe - copy of itself
  • B:\autorun.inf - autorun file used to execute the worm's copy
 
The payload component also has the ability to spread via autorun.inf when instructed to do so. In this case, the worm copies itself to a removable drive and creates an autorun.inf to execute it, for example:
  • RECYCLER\autorun.exe
  • autorun.inf
 
Instant Messenger
Rimecud's spreading component spreads via a variety of messaging applications, including the following:
  • Yahoo Messenger
  • ICQ
  • AIM
  • Skype
 
It does think by looking for windows associated with the targeted application and clicking on menu items and buttons to paste and send a message with a link to the malware to listed contacts.
 
The payload component can also be instructed to send links if the infected user has MSN messenger installed. It does this by redirecting the API's send and WSARecv in the MSN messenger process to its own code. Rimecud then attempts to check for the initiation of a conversation and may paste messages specified by the attacker into conversations. This can include links to copies of the worm or other malware.
Payload
Allows backdoor access and control
The malware opens a UDP connection to a remote server on port 7006. For example, in the wild, we have observed the following remote hosts being contacted in this manner:
  • irc.ekizmedia.com
  • zone.arminboutique.com
  • story.dnsentrymx.com
 
The malware can then be instructed to perform any of the following actions:
  • Check the version of the malware
  • Patch MSN messenger to insert messages
  • Initiate/Stop spreading via removable drives using the payload component
  • Initiate/Stop flooding a remote host (causing a Denial of Service condition)
  • Initiate/Stop scanning on the affected network for machines using VNC
  • Get the location of the following common Peer to Peer File sharing programs, and download files to that location:
    • Ares
    • Bearshare
    • iMesh
    • Shareazza
    • Kazza
    • DC++
    • Emule
    • Emule Plus
    • Limewire
  • Steal passwords and sensitive data from protected storage saved by the Web Browser
  • Download and execute arbitrary executable files to the %temp% directory
  • Download and execute files/Update itself
  • Download and execute scripts or commands / direct to a remote host
 
Analysis by Ray Roberts

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following folder:
    c:\recycler\s-1-5-21-<Random Number>
  • The presence of any of the following files in your removable drives:
    • <drive>:\vshost.exe
    • <drive>:\RECYCLER\autorun.exe
    • <drive>:\autorun.inf

Prevention


Alert level: Severe
First detected by definition: 1.55.395.0
Latest detected by definition: 1.191.1323.0 and higher
First detected on: Mar 24, 2009
This entry was first published on: Aug 06, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Win-Trojan/Buzus.143360.BT (AhnLab)
  • Trojan.Win32.Buzus.apjj (Kaspersky)
  • W32/Buzus.LFM (Norman)
  • Win32/Agent.NFV (ESET)
  • Win32/SillyP2P.BY (CA)
  • W32/Autorun.worm.fz (McAfee)