My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Rimecud.C

HIGH
MEDIUM
164519 KB
(Trojan.Win32.AutoRun.mh, Worm:Win32/Rimecud.B, Win32.HLLW.Lime.18, Worm/Palevo.jvq)

Symptoms

- presence of the registry mentioned in Technical Description
- computer slows down

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

George Cabau, virus researcher

Technical Description:

This worm performs the following actions upon execution:

-    creates a copy of itself inside “%systemdrive%\RECYCLER\S-1-5-21-[10-digits-random]-[10-digits-random]-[4-digits-random]” directory, under the name “MsMxEng.exe”,  and hides this directory from being seen by explorer.
-    Registers  itself at the system start-up by creating a new entry in "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"  under the name "Taskman" pointing to “%systemdrive%\RECYCLER\[malware-direcory]\MsMxEng.exe”.
-    injects its code into the memory space of  explorer.exe.

It spreads itself:

-    Through USB removable devices, by creating on such locations a folder named USBSYSTEM, where it makes a copy of itself under the name "usp.exe".  Additionally creates in the device root an "autorun.inf" file which will run the malware when the infected USB device is used on another computer.
-    Through MSN by sending malware links.
-    Through Kazaa and DC++ by sharing its directory.
-    Through P2P using LimeWire, eMule , iMesh, BearShare

The worm has DoS (Denial of Service) capabilities, it can initiate TCP-SYN flood attacks to remote hosts.