WORM_RIMECUD.BC

This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It executes commands from a remote malicious user, effectively compromising the affected system. However, as of this writing, the said sites are inaccessible.

Arrival Details

This worm arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following non-malicious files:

• %System Root%\RECYCLER\{SID}\Desktop.ini
• {Removable Drive}:\usecure\Desktop.ini

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It drops the following copies of itself into the affected system:

• %System Root%\RECYCLER\{SID}\MsMxEng.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

• %System Root%\RECYCLER\{SID}

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It injects threads into the following normal process(es):

• EXPLORER.EXE

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Taskman = %System Root%\RECYCLER\{SID}\MsMxEng.exe

Propagation

This worm creates the following folders in all removable drives:

• usecure

It drops copies of itself into the following folders used in peer-to-peer (P2P) networks:

• Ares Galaxy
• BearShare
• DC++
• eMule
• eMule Plus
• iMesh
• Kazaa
• Limewire
• Shareaza

It drops the following copy(ies) of itself in all removable drives:

• {Removable Drive}:\usecure\usecure32.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

;{garbage characters}
[autorun
;{garbage characters}
open=usecure/usecure32.exe
;{garbage characters}
icon=%System Root%\system32\SHELL32.dll,4
;{garbage characters}
action=Open folder to view files using Windows Explorer
;{garbage characters}
USEAUToplay=1
;{garbage characters}
shell\open\\command=usecure/usecure32.exe
;{garbage characters}
shell\\explore\command=usecure/usecure32.exe
;{garbage characters}

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It sends messages that contain links to sites hosting remote copies of itself using the following instant-messaging (IM) applications:

• MSN Messenger

Backdoor Routine

This worm executes the following commands from a remote malicious user:

• Download and execute files from a remote site
• Perform DoS attack
• Perform port scans
• Propagate itself via MSN Messenger
• Propagate itself via P2P networks

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}racypetition.com
• {BLOCKED}lmind.cn
• {BLOCKED}eslounge.com

However, as of this writing, the said sites are inaccessible.

NOTES:

The configuration in the Desktop.INI files that it drops sets the icon of the created folder to the Recycle Bin icon.