Analysis by: Kathleen Notario

ALIASES:

Trojan.Gen (Symantec); Trojan:Win32/Rimecud.A (Microsoft); Trojan.Win32.Inject.bfmc (Kaspersky); W32/Rimecud.gen.br (Mcafee); Mal/Palevo-A (Sophos)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops copies of itself in all removable drives. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats.

  TECHNICAL DETAILS

File Size: 84,480 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 14 Jul 2011

Arrival Details

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

  • %User Profile%\aegvvp.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It injects itself into the following processes as part of its memory residency routine:

  • svchost.exe

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Taskman = "%User Profile%\aegvvp.exe"

Propagation

This worm creates the following folders in all removable drives:

  • ultimate

It drops copies of itself in all removable drives.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
USEAUTOPLAY=1
shellexcute=ultimate/window.exe
Shelldisc
shell\Explore\command=ultimate/window.exe
shell\Open\command=ultimate/window.exe
icon=ultimate/window.exe
open=ultimate/window.exe
action=0pen folder to view files using Windows Explorer

Download Routine

This worm connects to the following malicious URLs:

  • {BLOCKED}na.{BLOCKED}olands.su
  • {BLOCKED}ik.{BLOCKED}-protection.net.ru
  • {BLOCKED}tal.{BLOCKED}owerbord.com
  • {BLOCKED}de.{BLOCKED}usenumber.com
  • {BLOCKED}d.{BLOCKED}tudio.ru