Home / malware Worm:Win32/Rimecud.B
First posted on 20 July 2019.
Source: MicrosoftAliases :
Worm:Win32/Rimecud.B is also known as Win-Trojan/Buzus.143360.BT, Trojan.Win32.Buzus.apjj, W32/Buzus.LFM, Win32/Agent.NFV, Win32/SillyP2P.BY, W32/Autorun.worm.fz.
Explanation :
Worm:Win32/Rimecud is a family of worms with multiple components that spreads via removable drives and instant messaging. It also contains backdoor functionality that allows unauthorized access to an affected machine. InstallationWin32/Rimecud utilizes two main components - a spreading component and a payload component. Worm:Win32/Rimecud.B is a detection of the payload component. When executed, Rimecud's spreading component opens an Explorer window in the directory it was executed from. The worm then drops the payload component in the %Temp% directory as
.PIF and executes it. When executed the payload component copies itself to the following location: c:
ecyclers-1-5-21-.exe For example: c:
ecyclers-1-5-21-2752067127-3165661566-893007534-3655glps.exe
c:
ecyclers-1-5-21-6979474019-8875095302-669511100-9326winservices.exe
c:
ecyclers-1-5-21-5265140054-9693652985-668820870-8913hd1.exe
c:
ecyclers-1-5-21-0614652817-4314771987-489633912-1051winlogon.exe It then creates an associated registry entry under HKCUSoftwareMicrosoftWindowsCurrentVersionRun to ensure execution at each windows start. The worm then injects its main payload code into the "explorer.exe" process. Spreads via… Removable drivesThe spreading component of Win32/Rimecud sets up a device notification function, which gets called when a USB device is plugged in or removed from the system. If found the worm copies itself to the root directory of the located drive and creates an autorun.inf file to execute the copy. When the removable or networked drive is accessed from another machine supporting the Autorun feature, the malware is launched automatically. For example, it may create the following files: B:vshost.exe - copy of itself B:autorun.inf - autorun file used to execute the worm's copy The payload component also has the ability to spread via autorun.inf when instructed to do so. In this case, the worm copies itself to a removable drive and creates an autorun.inf to execute it, for example: RECYCLERautorun.exe autorun.inf Instant MessengerRimecud's spreading component spreads via a variety of messaging applications, including the following: Yahoo Messenger ICQ AIM Skype It does think by looking for windows associated with the targeted application and clicking on menu items and buttons to paste and send a message with a link to the malware to listed contacts. The payload component can also be instructed to send links if the infected user has MSN messenger installed. It does this by redirecting the API's send and WSARecv in the MSN messenger process to its own code. Rimecud then attempts to check for the initiation of a conversation and may paste messages specified by the attacker into conversations. This can include links to copies of the worm or other malware. Payload Allows backdoor access and controlThe malware opens a UDP connection to a remote server on port 7006. For example, in the wild, we have observed the following remote hosts being contacted in this manner: irc.ekizmedia.com zone.arminboutique.com story.dnsentrymx.com The malware can then be instructed to perform any of the following actions: Check the version of the malware Patch MSN messenger to insert messages Initiate/Stop spreading via removable drives using the payload component Initiate/Stop flooding a remote host (causing a Denial of Service condition) Initiate/Stop scanning on the affected network for machines using VNC Get the location of the following common Peer to Peer File sharing programs, and download files to that location: Ares Bearshare iMesh Shareazza Kazza DC++ Emule Emule Plus Limewire Steal passwords and sensitive data from protected storage saved by the Web Browser Download and execute arbitrary executable files to the %temp% directory Download and execute files/Update itself Download and execute scripts or commands / direct to a remote host Analysis by Ray RobertsLast update 20 July 2019