Home / malwarePDF  

Worm:Win32/Rimecud.FR


First posted on 18 May 2010.
Source: SecurityHome

Aliases :

There are no other names known for Worm:Win32/Rimecud.FR.

Explanation :

Worm:Win32/Rimecud.FR is worm with multiple components that spreads via fixed and removable drives, peer-to-peer (P2P) file sharing, and instant messaging programs. It also contains backdoor functionality that allows unauthorized access to an affected computer.
Top

Worm:Win32/Rimecud.FR is worm with multiple components that spreads via fixed and removable drives, peer-to-peer (P2P) file sharing, and instant messaging programs. It also contains backdoor functionality that allows unauthorized access to an affected computer. Installation Worm:Win32/Rimecud.FR consists of two main components - a spreading component and a payload component. The payload component copies itself to any of the following locations:

  • %AppData%\strbin.exe
  • %AppData%\strbin.dll
  • It then creates an associated registry entry to ensure its copy executes at each Windows start: Adds value: "strbin.exe" With data: "%AppData%\strbin.exe" To subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run It also creates a remote thread in the Internet Explorer process that runs in the background where it can proceed with its backdoor and propagation routines. Spreads via... Fixed and removable drives The spreading component of Worm:Win32/Rimecud.FR enumerates all drives from B: to Z: searching for fixed and removable drives. If found the worm copies itself to the root folder of the located drive and creates an "autorun.inf" file to execute the copy. When the removable or networked drive is accessed from another computer with Autorun enabled, the malware is launched automatically. For example, it may create the following files: <Drive>\recycler\s-1-5-21-<random number>\autorun.exe - copy of itself <Drive>\recycler\s-1-5-21-<Random Number>\autorun.inf - autorun file used to execute the worm's copy Instant messenger programs Worm:Win32/Rimecud.FR spreads via the Internet chat and messaging application MSN Messenger. It does this by looking for windows associated with the targeted application and clicking on menu items and buttons to paste and send an instant message to the user's contacts. The instant message contains a link to the malware. The payload component can also be instructed to send links if the infected user has MSN messenger installed. It does this by redirecting the send and WSARecv APIs in the MSN messenger process to its own code. Rimecud then attempts to check for the initiation of a conversation and may paste messages specified by the attacker into conversations. This can include links to copies of the worm or other malware. Payload Allows backdoor access and control Worm:Win32/Rimecud.FR opens a TCP connection to a remote server on port 7010. For example, we have observed the following remote host being contacted: informaciones.estr.es The malware can then be instructed to perform any of the following actions: Check the version of the malware Patch MSN Messenger to insert messages Initiate/Stop spreading via removable drives using the payload component Initiate/Stop flooding a remote host (causing a Denial of Service condition) Get the location of the following common Peer-to-peer (P2P) File sharing programs, and download files to that location: Ares DC++ Emule Limewire Download and execute files or update itself Download and execute scripts or commands Direct to a remote host

    Analysis by Marianne Mallen

    Last update 18 May 2010

     

    TOP