Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Rimecud.B.10
Date discovered:16/09/2009
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:Yes
File size:120.320 Bytes
MD5 checksum:41375116e298d9afdab587aa6e14fa6f
VDF version:7.01.05.249
IVDF version:7.01.05.251 - Wednesday, September 16, 2009

 General Methods of propagation:
   • Autorun feature
   • Messenger
   • Peer to Peer


Aliases:
   •  Sophos: Mal/EncPk-TD
   •  Bitdefender: Trojan.Generic.4703375
   •  Panda: W32/P2Pworm.OI
   •  Eset: Win32/Peerfrag.FD


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Drops malicious files
   • Lowers security settings
   • Registry modification
   • Makes use of software vulnerability
      •  CVE-2007-1204
      •  MS07-019

 Files It copies itself to the following locations:
   • %drive%\RECYCLER\autorun.exe
   • %recycle bin%\%CLSID%\syscr.exe



The following files are created:

%recycle bin%\%CLSID%\Desktop.ini
%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%SYSDIR%\msvmiode.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Crypt.XPACK.Gen

%SYSDIR%\drivers\dopmz.sys Further investigation pointed out that this file is malware, too. Detected as: TR/Crypt.ZPACK.Gen

%SYSDIR%\drivers\str.sys
– %HOME%\Application Data\bowcav.exe
%TEMPDIR%\80814.tmp
%SYSDIR%\MAI1.tmp
%TEMPDIR%\32540.tmp



It tries to download some files:

– The location is the following:
   • http://98.126.57.69/**********
It is saved on the local hard drive under: %TEMPDIR%\10627.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Kazy.8023


– The location is the following:
   • http://91.217.162.230/**********
It is saved on the local hard drive under: %TEMPDIR%\653.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: BDS/IRCBot.655363.A


– The location is the following:
   • http://188.229.90.135/**********
It is saved on the local hard drive under: %TEMPDIR%\311423.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Crypt.XPACK.Gen


– The location is the following:
   • http://89.149.196.37/ksjoi/**********
It is saved on the local hard drive under: %WINDIR%\ggdrive32.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: BDS/IRCBot.655363.A


– The location is the following:
   • http://91.217.162.80/**********
It is saved on the local hard drive under: %TEMPDIR%\474.exe Furthermore this file gets executed after it was fully downloaded.



It tries to execute the following files:

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "Taskman"="%HOME%\Application Data\bowcav.exe"

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "Shell"="explorer.exe,%HOME%\Application Data\bowcav.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "MSODESNV7"="%SYSDIR%\msvmiode.exe"
   • "Microsoft Driver Setup"="%WINDIR%\ggdrive32.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "Microsoft Driver Setup"="%WINDIR%\ggdrive32.exe"



The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\dknuegk]
   • "DisplayName"="dknuegk"
   • "ErrorControl"=dword:0x00000000
   • "Group"="Boot Bus Extender"
   • "ImagePath"="system32\drivers\dopmz.sys"
   • "RulesData"=hex:03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,6E,00,5C,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,00,5C,00,4D,00,41,00,43,00,48,00,49,00,4E,00,45,00,5C,00,53,00,59,00,53,00,54,00,45,00,4D,00,5C,00,43,00,6F,00,6E,00,74,00,72,00,6F,00,6C,00,53,00,65,00,74,00,30,00,30,00,31,00,5C,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,73,00,5C,00,64,00,6B,00,6E,00,75,00,65,00,67,00,6B,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,74,00,5C,00,44,00,65,00,76,00,69,00,63,00,65,00,5C,00,48,00,61,00,72,00,64,00,64,00,69,00,73,00,6B,00,56,00,6F,00,6C,00,75,00,6D,00,65,00,31,00,5C,00,57,00,49,00,4E,00,44,00,4F,00,57,00,53,00,5C,00,73,00,79,00,73,00,74,00,65,00,6D,00,33,00,32,00,5C,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5C,00,64,00,6F,00,70,00,6D,00,7A,00,2E,00,73,00,79,00,73,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,70,00,5C,00,44,00,65,00,76,00,69,00,63,00,65,00,5C,00,48,00,61,00,72,00,64,00,64,00,69,00,73,00,6B,00,56,00,6F,00,6C,00,75,00,6D,00,65,00,31,00,5C,00,57,00,49,00,4E,00,44,00,4F,00,57,00,53,00,5C,00,73,00,79,00,73,00,74,00,65,00,6D,00,33,00,32,00,5C,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5C,00,73,00,74,00,72,00,2E,00,73,00,79,00,73,00,00,00
   • "Start"=dword:0x00000000
   • "Type"=dword:0x00000001
   • "_MAIN"="\??\%SYSDIR%\MAI1.tmp"
   • "krnl_servers_list"=hex:68,74,74,70,00,00,00,00,00,00,00,00,00,00,00,68,74,74,70,3A,2F,2F,31,39,30,2E,31,32,33,2E,34,36,2E,39,31,2F,6C,79,63,6F,73,2F,67,65,74,63,66,67,2E,70,68,70,00,68,74,74,70,00,00,00,00,00,00,00,00,00,00,00,68,74,74,70,3A,2F,2F,31,39,30,2E,31,32,33,2E,34,36,2E,39,32,2F,6C,79,63,6F,73,2F,67,65,74,63,66,67,2E,70,68,70,00,68,74,74,70,00,00,00,00,00,00,00,00,00,00,00,68,74,74,70,3A,2F,2F,36,32,2E,31,32,32,2E,37,33,2E,32,30,30,2F,6C,79,63,6F,73,2F,67,65,74,63,66,67,2E,70,68,70,00,68,74,74,70,00,00,00,00,00,00,00,00,00,00,00,68,74,74,70,3A,2F,2F,38,39,2E,31,34,39,2E,31,39,36,2E,33,37,2F,6C,79,63,6F,73,2F,67,65,74,63,66,67,2E,70,68,70,00
   • "krnl_sleepfreq"=hex:05,00,00,00



It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile]
   • "EnableFirewall"=dword:0x00000000



The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
   • "host"="%IP address%"
   • "id"="53389715341734928137059857980661"
   • "ridt100413"="1"



The following registry key is changed:

– [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\
   Winlogon]
   New value:
   • "ParseAutoexec"="1"

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed:   It retrieves shared folders by querying the following registry keys:
   • Software\BearShare\General
   • Software\iMesh\General
   • Software\Shareaza\Shareaza\Downloads
   • Software\Kazaa\LocalContent
   • Software\DC++
   • Software\eMule
   • Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule Plus_is1

   It searches for directories that contain the following substring:
   • \Local Settings\Application Data\Ares\My Shared Folder


 Messenger It is spreading via Messenger. The characteristics are described below:

– Windows Messenger

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 Backdoor Contact server:
All of the following:
   • ms.bes**********.com:1863 (UDP)
   • 98.126.**********.210:9345 (UDP)
   • 216.104.**********.90:7196 (TCP)
   • http://91.200.242.230/spm/**********?ver=%number%
   • http://91.200.242.230/spm/**********?id=%number%&tick=%number%&ver=%number%&smtp=%character string%&sl=%number%&fw=%number%&pn=%number%&psr=%number%
   • http://91.200.242.230/spm/**********?id=%number%&task=%number%
   • http://91.200.242.230/spm/**********?task=%number%&id=%number%
   • http://91.200.242.230/spm/**********?id=%number%&tick=%number%&ver=%number%&smtp=%character string%&sl=%number%&fw=%number%&pn=%number%&psr=%number%
   • http://91.200.242.230/spm/**********?id=%number%
   • http://190.123.46.91/lycos/**********
   • http://190.123.46.92/lycos/**********
   • http://62.122.73.200/lycos/**********
   • http://89.149.196.37/lycos/**********


 Injection – It injects itself as a remote thread into a process.

    Process name:
   • explorer.exe


 Miscellaneous Mutex:
It creates the following Mutexes:
   • o4gmd1
   • nvov+32
   • jng28gdrrg2fcs

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Wednesday, January 19, 2011
Description updated by Andrei Ivanes on Friday, January 21, 2011

Back . . . .