Worm:Win32/Rimecud.R is a worm that spreads via removable drives, shared folders, and MSN Messenger. It also connects to remote servers.
When executed, Worm:Win32/Rimecud.R copies itself in the computer to the following location:
C:\Recycler\s-1-5-21-<random number>\<random file name>.exe
It then modifies the system registry so that it automatically runs every time Windows starts:
Adds value: "Taskman"
With data: "C:\Recycler\s-1-5-21-<random number>\<random file name>.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
It also injects its main payload code into the "explorer.exe" process.
Worm:Win32/Rimecud.R creates the following mutexes:
Worm:Win32/Rimecud.R spreads via removable drives by copying itself to found drives using the same format as above in the Installation section. To enable its copy to run every time the drive is accessed and Autorun is enabled, it also creates a file named "autorun.inf", which points to the worm copy.
Instant messenger programs
Worm:Win32/Rimecud.R spreads via MSN Messenger to a user's contacts. If a user is connected via MSN Messenger, Worm:Win32/Rimecud.R may send a message to all of the user's contacts containing a link to a worm copy.
Worm:Win32/Rimecud.R copies itself to the shared folders within the computer. These include those shared by Windows by default, such as "My Shared Folder", or those shared by peer-to-peer file sharing programs, such as the following:
Connects to a remote server
Worm:Win32/Rimecud.R connects to the following remote servers, which may be to download arbitrary files or to send information about the infected computer:
Worm:Win32/Rimecud.R creates a window with the title "noacclass".
Analysis by Jaime Wong
The following system changes may indicate the presence of this malware: