[Malware Review] Win32.Worm.Rimecud.C Lurking on P2P Networks

Initially spotted earlier this month, Win32.Worm.Rimecud.C is an Internet worm that aggressively attempts to spread itself either by directly infecting removable media or by sharing its binary code through Kazaa, DC++, LimeWire, eMule , iMesh or BearShare.

In order to infect USB storage devices, Win32.Worm.Rimecud.C creates a folder named USBSYSTEM, copies itself to the folder, and then creates in the device root an “autorun.inf” file which will run the infected binary each time the device is plugged in. The worm also spreads itself via MSN Messenger by sending automated messages containing links to copies of itself to the entire list of contacts.

Once it has successfully the local machine, the worm creates a copy of itself inside the “%systemdrive%RECYCLERS-1-5-21-[10-digits-random]-[10-digits-random]-[4-digits-random]” directory and modifies the directory’s attributes to hide it from Windows Explorer. The worm would subsequently register itself at the system start-up by adding a new entry to the Windows Registry under the name “Taskman”.

One of the first visible symptoms revealing the infection is the unusual slowdown of the computer. The worm uses most of the available bandwidth to perform some malicious tasks such as denial-of-service (DoS) and TCP-SYN flood attacks against remote hosts.

In order to avoid infections, we recommend that you install and regularly update a complete antimalware suite with antivirus, antispam, antiphishing and firewall modules.Information in this article is available courtesy of BitDefender virus researcher George Cabau.