Worm:Win32/Rimecud.DP is a worm that spreads via removable drives, instant messaging and peer-to-peer file-sharing programs. It also contains backdoor functionality that allows unauthorized access to an affected computer.
Installation
When executed, the worm injects its code into the "explorer.exe" system process.
The worm then makes a copy of itself in the following location, for example:
c:\recycler\s-1-5-21-<Random Number>\msmxeng.exe.exe
Worm:Win32/Rimecud.DP sets the following registry entry to ensure execution at each Windows start:
Adds value: "Taskman"
With data: "c:\recycler\s-1-5-21-<random number>\msmxeng.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Spreads via…
Removable drives
Rimecud sets up a device notification function, which gets called when a USB device is plugged in or removed from the system. If the plugged in device is recognized as a storage device, Rimecud makes a copy of itself on the device and writes an "autorun.inf" file to ensure its execution. In the wild, it has been known to create the following files:
<Drive>:\winivid\xcodec.exe
<Drive>:\autorun.inf
Instant Messenger
Rimecud may check for the process "msnmsgr.exe" and inject code into it; in order to redirect its own code, this code hooks the following system APIs:
The worm then parses the MSN protocol and can send a message with a link to itself to the affected user's contacts.
Peer to peer
Rimecud can check for the presence of common file sharing programs. This allows the worm to write a copy of itself to the share folders of these programs:
- Ares
- Bearshare
- iMesh
- Shareazza
- Kazza
- DC++
- Emule
- Emule Plus
- Limewire
Payload
Allows backdoor access and controlRimecud opens a connection to a remote server on UDP port 44480. For example, we have observed the following remote hosts being contacted in this manner:
digitalmind.cn
antipiracypetition.com
freebieslounge.com
Rimecud can then be instructed to perform any of the following actions:
- Check the version of the malware
- Initiate/stop patching of MSN messenger process to insert messages
- Initiate/stop spreading via removable drives
- Initiate/stop flooding a remote host (causing a Denial of Service Condition)
- Initiate/stop scanning on the affected network for machines using VNC
- Get the location of the following common peer-to-peer file-sharing programs and copy/download files to that location:
- Ares
- Bearshare
- iMesh
- Shareazza
- Kazza
- DC++
- Emule
- Emule Plus
- Limewire
- Steal passwords and sensitive data saved by the Web browser
- Download and execute arbitrary files
- Update itself
- Download and execute scripts or commands / direct to a remote host
- Run a SOCKS proxy
Analysis by Ray Roberts
