Home / malware Win32.Worm.Rimecud.C
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Worm.Rimecud.C is also known as Trojan.Win32.AutoRun.mh, Worm:Win32/Rimecud.B, Win32.HLLW.Lime.18, Worm/Palevo.jvq.
Explanation :
This worm performs the following actions upon execution:- creates a copy of itself inside “%systemdrive%RECYCLERS-1-5-21-[10-digits-random]-[10-digits-random]-[4-digits-random]” directory, under the name “MsMxEng.exe”, and hides this directory from being seen by explorer.
- Registers itself at the system start-up by creating a new entry in "HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon" under the name "Taskman" pointing to “%systemdrive%RECYCLER[malware-direcory]MsMxEng.exe”.
- injects its code into the memory space of explorer.exe.
It spreads itself:- Through USB removable devices, by creating on such locations a folder named USBSYSTEM, where it makes a copy of itself under the name "usp.exe". Additionally creates in the device root an "autorun.inf" file which will run the malware when the infected USB device is used on another computer.
- Through MSN by sending malware links.
- Through Kazaa and DC++ by sharing its directory.
- Through P2P using LimeWire, eMule , iMesh, BearShare
The worm has DoS (Denial of Service) capabilities, it can initiate TCP-SYN flood attacks to remote hosts.Last update 21 November 2011