Method of Infection
When executed, Win32/Rimecud may drop a copy of itself to the following location
C:\RECYCLER\{Random CLSID}\{Random Filename}
where {Random Filename} is any of the following filenames:
bfb.exe
dllrun32.exe
glps.exe
hd1.exe
hdav.exe
lpezobradr.exe
msimfo32.exe
nissan.exe
ramz.exe
rundll32.exe
sucursal.exe
svchost.exe
sysdata.exe
sysdate.exe
thumbcache_131.exe
twain_x86.exe
usbv.exe
windll.exe
wingn.exe
winigon.exe
winlogon.exe
winmap.exe
winmap32.exe
winvcs.exe
wmiprvse.exe
wnzip32.exe
Most variants of this family create the following registry entry to execute itself on every system startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Taskman = "C:\RECYCLER\{Random CLSID}\{Random Filename}"
However, some variants of this family may also create the following registry entries to execute itself every startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Actualizacion = "C:\RECYCLER\{Random CLSID}\{Random Filename}"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
12CFG94-z641-2SF-N31P-5M1ER6H6L1 = "C:\RECYCLER\{Random CLSID}\{Random Filename}"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Video Drivers = "C:\RECYCLER\{Random CLSID}\{Random Filename}"
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell = "explorer.exe {Malware Path}"
Win32/Rimecud is often injected into a running system process such as EXPLORER.EXE or WINLOGON.EXE.
Back to top
Method of Distribution
Via Removable Drives
Win32/Rimecud propagates via removable disk drives such as USB drives. It also drops "Autorun.inf" and a randomly-named copy of itself to the removable drive.
Via Peer to Peer
Win32/Rimecud may also drop a randomly-named copy of itself to the shared folders of the following P2P (peer-to-peer) applications. The filename may be derived from any of the current files stored in these shared folders.
Ares
BearShare
iMesh
Shareaza
Kazaa
DCPlusPlus
eMule
LimeWire
Via MSN
This worm can also spread via MSN Instant Messenger by sending a link to all of the user's online contacts. When the recipient clicks on the link, they will unwittingly download a randomly-named copy of the worm.
Via VNC Vulnerability
Win32/Rimecud may propagate by using a vulnerability in RealVNC that could allow a remote attacker to bypass authentication and gain unauthorized access to the system (CVE-2006-2369).
For more information about the RealVNC authentication bypass vulnerability follow these links:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2369
http://www.kb.cert.org/vuls/id/117929
Back to top
Payload
Backdoor Functionality
Win32/Rimecud performs the following backdoor functions:
- Acts as a Backdoor server;
- Performs SYN Flooding;
- Performs PORT Scanning.
Steals Information
Win32/Rimecud steals information from the infected system. Information stolen may include the following:
- Keystrokes;
- Login Usernames and Passwords of the system;
- Stored data such as Username and Password details for Mozilla Firefox and Internet Explorer.
Analysis by Ricardo Robielos III
Back to top