Worm:Win32/Rimecud.R is a worm that spreads via removable drives, shared folders, and MSN Messenger. It also connects to remote servers.

What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see
Disable Autorun functionality
This threat attempts to spread via removable drives on computers that support Autorun functionality. This is a particularly common method of spreading for many current malware families. For information on disabling Autorun functionality, please see the following article:
Recovering from recurring infections on a network
The following additional steps may need to be taken to completely remove this threat from an infected network, and to stop infections from recurring from this and other similar types of network-spreading malware:
  1. Ensure that an antivirus product is installed on ALL computers connected to the network that can access or host shares  (see above for further detail).
  2. Ensure that all available network shares are scanned with an up-to-date antivirus product.
  3. Restrict permissions as appropriate for network shares on your network. For more information on simple access control, please see:
  4. Remove any unnecessary network shares or mapped drives.
Note: Additionally it may be necessary to temporarily change the permission on network shares to read-only until the disinfection process is complete.

Threat behavior

Worm:Win32/Rimecud.R is a worm that spreads via removable drives, shared folders, and MSN Messenger. It also connects to remote servers.
When executed, Worm:Win32/Rimecud.R copies itself in the computer to the following location:
C:\Recycler\s-1-5-21-<random number>\<random file name>.exe
For example:
It then modifies the system registry so that it automatically runs every time Windows starts:
Adds value: "Taskman"
With data: "C:\Recycler\s-1-5-21-<random number>\<random file name>.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
It also injects its main payload code into the "explorer.exe" process.
Worm:Win32/Rimecud.R creates the following mutexes:
  • "DBWinMutex"
  • "lll_fejh__frg65fx"
Spreads via...
Removable drives
Worm:Win32/Rimecud.R spreads via removable drives by copying itself to found drives using the same format as above in the Installation section. To enable its copy to run every time the drive is accessed and Autorun is enabled, it also creates a file named "autorun.inf", which points to the worm copy.
Instant messenger programs
Worm:Win32/Rimecud.R spreads via MSN Messenger to a user's contacts. If a user is connected via MSN Messenger, Worm:Win32/Rimecud.R may send a message to all of the user's contacts containing a link to a worm copy.
Shared folders
Worm:Win32/Rimecud.R copies itself to the shared folders within the computer. These include those shared by Windows by default, such as "My Shared Folder", or those shared by peer-to-peer file sharing programs, such as the following:
Connects to a remote server
Worm:Win32/Rimecud.R connects to the following remote servers, which may be to download arbitrary files or to send information about the infected computer:
Additional information
Worm:Win32/Rimecud.R creates a window with the title "noacclass".
Analysis by Jaime Wong


System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following folder:
  • The presence of the following registry modifications:
    Added value: "Taskman"
    In subkey: key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon


Alert level: Severe
First detected by definition: 1.69.443.0
Latest detected by definition: 1.89.1383.0 and higher
First detected on: Nov 02, 2009
This entry was first published on: Feb 12, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Win32/Autorun.worm.136192.K (AhnLab)
  • W32/Worm.AOPV (Command)
  • P2P-Worm.Win32.Palevo.kbc (Kaspersky)
  • Worm.Win32.AutoRun.sus (Rising AV)
  • W32.Pilleuz (Symantec)
  • WORM_PALEVO.SMFA (Trend Micro)