WORM_RIMECUD.CJ

This worm arrives by connecting affected removable drives to a system.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

Arrival Details

This worm arrives by connecting affected removable drives to a system.

Installation

This worm drops the following copies of itself into the affected system:

• %User Profile%\Application Data\ygmdrm.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Taskman = "％User Profile%\Application Data\ygmdrm.exe”

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

• {drive letter}:\VARAS\oduvek.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[AutoRun]
shellexecute=VARAS//oduvek.exe
{random characters}
shell\\explore\\command=VARAS//oduvek.exe
open=VARAS///oduvek.exe
icon=VARAS//oduvek.exe
shell\\open\\command=VARAS//oduvek.exe
Shell\\open\\command=VARAS//oduvek.exe
USEAUTOPLAY=1
action=Open folder to view file using Windows Explorer