Rimecud!inf
Rimecud!inf is a generic detection for an Autorun configuration file "autorun.inf" used by Worm:Win32/Rimecud when spreading via fixed and removable drives.
Worm:Win32/Rimecud is a family of worms with multiple components that spreads via fixed and removable drives, and instant messaging. It also contains backdoor functionality that allows unauthorized access to an affected machine.
Rimecud!inf Aliases and Variants
INF/Rimecud (CA) Trojan.Win32.AutoRun.gm (Kaspersky), W32/Aoturun.worm.aaj!inf (McAfee), W32/P2Pworm.DD.worm (Panda), W32/Autorun-AST (Sophos)
Rimecud!inf Symptomps
The spreading component of Win32/Rimecud enumerates all drives from B: to Z: searching for fixed and removable drive types. For each fixed or removable drive found, the worm copies itself to the root directory of the located drive as "vshost.exe". The worm then writes an autorun configuration file named "autorun.inf" pointing to "vshost.exe":
- <drive:>\vshost.exe – Worm:Win32/Rimecud
- <drive:>\autorun.inf – Worm:Win32/Rimecud!inf
When the drive is accessed from a machine supporting the Autorun feature, the worm is launched automatically
Rimecud.A
Rimecud.A obtains information from the forms stored in the Internet Explorer and Firefox browser. It spreads itself via certain P2P programs, the MSN Messenger, through removable drives and computers with vulnerable VNC servers or VNC servers that do not require password.
Worm:Win32/Rimecud is a family of worms with multiple components that spreads via fixed and removable drives, and instant messaging. It also contains backdoor functionality that allows unauthorized access to an affected machine.
Rimecud.A Aliases and Variants
Trojan.Win32.Agent.ezlo (Kaspersky) W32.Pilleuz (Symantec)
Rimecud.A Symptomps
Trojan Rimecud.A creates a copy of itself in system folder with the following name:
- msvmiode.exe
Trojan:Win32/Rimecud.A may contact a remote host at update2.helohmar.com using port 80. It may do so:
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
Rimecud.B
Rimecud.B obtains information from the forms stored in the Internet Explorer and Firefox browser. It spreads itself via certain P2P programs, the MSN Messenger, through removable drives and computers with vulnerable VNC servers or VNC servers that do not require password.
Worm:Win32/Rimecud is a family of worms with multiple components that spreads via fixed and removable drives, and instant messaging. It also contains backdoor functionality that allows unauthorized access to an affected machine.
Rimecud.B Aliases and Variants
P2P-Worm.Win32.Palevo.cvo, Win-Trojan/Buzus.143360.BT (AhnLab), Trojan.Win32.Buzus.apjj (Kaspersky), W32/Buzus.LFM (Norman), Win32/Agent.NFV (ESET), Win32/SillyP2P.BY (CA), W32/Autorun.worm.fz (McAfee)
Rimecud.B Symptomps
Rimecud.B obtains information from the forms stored in the Internet Explorer and Firefox browsers, such as passwords and confidential data about the user.
Rimecud.B creates the following path:
- C:\RECYCLER\S-1-5-21-6393178087-8249707012-078373048-6570
And it creates a copy of itself in this path with the following name:
- HD1.EXE
Rimecud.B creates the following entry in the Windows Registry:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon Taskman = C:\RECYCLER\S-1-5-21-6393178087-8249707012-078373048-6570\hd1.exe
This entry ensures that the worm is run upon Windows start-up.
Rimecud.B is written in the programming language Visual C++. This worm is 103,936 bytes in size.
Rimecud.C
Rimecud.C is an Internet worm that aggressively attempts to spread itself either by directly infecting removable media or by sharing its binary code through Kazaa, DC++, LimeWire, eMule , iMesh or BearShare. In order to infect USB storage devices, Win32.Worm.Rimecud.C creates a folder named USBSYSTEM, copies itself to the folder, and then creates in the device root an "autorun.inf" file which will run the infected binary each time the device is plugged in. The worm also spreads itself via MSN Messenger by sending automated messages containing links to copies of itself to the entire list of contacts.
Rimecud.C Symptomps
Once it has successfully the local machine, the worm creates a copy of itself inside the "%systemdrive%\RECYCLER\S-1-5-21-[10-digits-random]-[10-digits-random]-[4-digits-random]" directory and modifies the directory’s attributes to hide it from Windows Explorer. The worm would subsequently register itself at the system start-up by adding a new entry to the Windows Registry under the name "Taskman". One of the first visible symptoms revealing the infection is the unusual slowdown of the computer. The worm uses most of the available bandwidth to perform some malicious tasks such as denial-of-service (DoS) and TCP-SYN flood attacks against remote hosts.
Rimecud.E
Rimecud.E downloads malware to the affected computer which is designed to send spam messages and to download more malware. It spreads itself via certain P2P programs, the MSN Messenger and through removable drives.
Worm:Win32/Rimecud is a family of worms with multiple components that spreads via fixed and removable drives, and instant messaging. It also contains backdoor functionality that allows unauthorized access to an affected machine.
Rimecud.E Aliases and Variants
W32/Rimecud.E.worm, Trojan.Win32.Buzus.bhnb
Rimecud.E Symptomps
Rimecud.E downloads the following malware to the affected computer:
When the drive is accessed from a machine supporting the Autorun feature, the worm is launched automatically.
Rimecud.FR
Rimecud.FR is a worm with multiple components. It spreads itself via certain P2P programs, the MSN Messenger, through removable drives and computers with vulnerable VNC servers or VNC servers that do not require password.
Worm:Win32/Rimecud is a family of worms with multiple components that spreads via fixed and removable drives, and instant messaging. It also contains backdoor functionality that allows unauthorized access to an affected machine.
Rimecud.FR Aliases and Variants
N/a
Rimecud.FR Symptomps
Rimecud.FR enumerates all drives from B: to Z: searching for fixed and removable drives. If found, the worm copy itself to the root folder of the located drive and create an "autorun.inf" file to execute the copy. When the removable or networked drive is accessed from another computer with Autorun enabled, the malware is launched automatically.
Rimecud.FR spreads via the Internet chat and messaging application MSN Messenger. It does so by looking for windows associated with the targeted application and clicking on menu items and buttons to paste and send an instant message to the user’s contacts. The instant message contains a link to the malware. The payload component can also be instructed to send links if the infected user has MSN messenger installed. It does so by redirecting the send and WSARecv APIs in the MSN messenger process to its own code. Rimecud then attempts to check for the initiation of a conversation and may paste messages specified by the attacker into conversations. This can include links to copies of the worm or other malware.
Rimecud.FR allows backdroor access by openening a TCP connection to a remote server on port 7010. The malware can then be instructed to perform any of the following actions:
- Check the version of the malware
- Patch MSN Messenger to insert messages
- Start/Stop spreading via removable drives using the payload component
- Start/Stop flooding a remote host
- Download and execute files or update itself
- Download and execute scripts or commands
Rimecud.P
Rimecud.P s a worm that spreads via P2P networks. The worm contains a backdoor. It can be controlled remotely.
Worm:Win32/Rimecud is a family of worms with multiple components that spreads via fixed and removable drives, and instant messaging. It also contains backdoor functionality that allows unauthorized access to an affected machine.
Rimecud.P Aliases and Variants
P2P-Worm.Win32.Palevo.kad (Kaspersky), Worm.P2P.Palevo.B (F-Secure)
Rimecud!inf Symptomps
The spreading component of Win32/Rimecud enumerates all drives from B: to Z: searching for fixed and removable drive types. For each fixed or removable drive found, the worm copies itself to the root directory of the located drive as "vshost.exe". The worm then writes an autorun configuration file named "autorun.inf" pointing to "vshost.exe":
When the drive is accessed from a machine supporting the Autorun feature, the worm is launched automatically.
Rimecud.R
Rimecud.R Rimecud.R is a worm that spreads via removable drives, shared folders, and MSN Messenger. It also connects to remote servers.
Win32/Rimecud uses a variety of obfuscators to hinder detection. These are written in C/C++/Delphi/Visual Basic and usually have virtual environment detection and anti-emulation tricks to make the malware harder to detect.
Rimecud.R Symptoms
The following system changes may indicate the presence of this malware:
Presence of the following folder:
- C:\Recycler
Presence of the following registry modifications:
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman’
When executed, Rimecud.R copies itself in the computer to the following location:
- C:\Recycler\s-1-5-21-<random number>\<random file name>.exe
It then modifies the system registry so that it automatically runs every time Windows starts:
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- C:\Recycler\s-1-5-21-<random number>\<random file name>.exe
- Taskman
Creates the following mutexes:
- DBWinMutex
- lll_fejh__frg65fx
Rimecud.R copies itself to the shared folders within the computer. These include those shared by Windows by default, such as ‘My Shared Folder’, or those shared by peer-to-peer file sharing programs, for example:
- DownloadDir
- LimeWire\LimeWire.props
- Software\BearShare\General
- Software\DC++
- Software\eMule
- Software\iMesh\General
- Software\Kazaa\LocalContent
- Software\Shareaza\Shareaza\Downloads
Connects to the following remote servers, which may be to download arbitrary files or to send information about the infected computer:
- skyoflies.info
- panchitox.laweb.es
- penchatox.sin-ip.es
PEOPLE FIND THIS PAGE BY THIS WORDS:
Rimecud!inf; rimecud inf; rimecud mem symptoms; Rimecud!mem; Rimecud!mem variants; identify the characteristics symptoms method of infection variants and removal process of rimecud!mem; make word with rimecud; Rimecud!mem symptoms; network path troubleshooting; w32/rimecud!mem; winlogon taskman trojan buzus; rimecud!mem what is; rimecud mem; what is rimecud!mem; w32/rimecud!env e; what is the virus known as rimecud!mem; the most dangeros virus the rimecud and its variants; win32/rimecud inf; p2p-worm win32 palevo kad; W32/Rimecud removal;
