Effects Rimecud.E downloads the following malware to the affected computer: - Trj/Spammer.ALU, a Trojan designed to send spam messages.
- Trj/Downloader.WBW, designed to download files, which can be of any nature, including malware.
In order to do so, it connects to the following domains: mails.le<blocked>dv.com mails.nad<blocked>amar2.org mails.cli<blocked>bar.net from these domains it downloads the following files, which belong to the Trojans: Infection strategy Rimecud.E creates the following path: C:\RECYCLER\S-1-5-21-6393178087-8249707012-078373048-6570 And it creates a copy of itself in this path with the following name: WNZIP32.EXE Additionally, it creates a copy of itself in the folder RECYCLER of the root directory of the removable drives. It also creates an AUTORUN.INF file in the root directory of the removable drives, so that the copy of itself is automatically run when any of these drives is accessed. Rimecud.E creates the following entry in the Windows Registry: - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon
Taskman = C:\RECYCLER\S-1-5-21-6393178087-8249707012-078373048-6570\wnzip32.exe
By creating this entry, Rimecud.E ensures that it is run whenever Windows is started.
Means of transmission Rimecud.E uses the following means to spread: - it copies in the folders belonging to the following P2P file sharing programs:
- Ares
- Bearshare
- DC++
- eMule
- iMesh
- Kazaa
- LimeWire
- Shareaza - the instant messaging program MSN Messenger.
- it copies in the removable drives of the system. Additionally, it creates an AUTORUN.INF file in the root directory of the removable drives that are connected to the affected computer, so that it is run whenever any of these drives is accessed.
Further Details Rimecud.E is written in the programming language Visual C++. This worm is 96,768 bytes in size. |