Trojan.Win32.Rimecud.m

by Atlantis on April 17th, 2012 in Malware Descriptions.

Detect: Trojan.Win32.Rimecud.m
Platform: Win32
Type: Trojan
Size: 140288 bytes
Packer: unknown
Unpacked size: ~81KB
Language: C++
md5: 5A9A4024F263E0D79C8CF9381DCDF06A
sha1: 0C1C857386D7C2A4BF3C62CC69C110D38D35045F

Summary

It is a Trojan program which performs destructive activities on the User PC.

Technical Details

Payload

To deceive a PC user, the Trojan program icon is designed to look like the Windows Explorer icon. Its file properties are as follows:

Company:

Trend Micro Inc.

Legal Trademarks:

Copyright (C) Trend Micro Inc.

Product Name:

Trend Micro Internet Security

The Trojan creates a process named "SVCHOST.EXE" and injects a malicious code as well as its original body location in it.

The malicious code performs the following actions:

  • To control the uniqueness of its process in the system, the Trojan creates a unique identifier with the following name:

Bm|=+10

  • Copies itself to the directory as:

%UserProfile%\jaase.exe

With that, it sets the following attributes to the file: read-only, hidden and system.

  • Keeps handle open on the "%UserProfile%\jaase.exe" file and thus not allowing to delete it.
  • To be automatically launched, the Trojan adds a link to its executable file in the system registry autorun key upon each Windows startup:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"Taskman" = "C:\Documents and Settings\test\jaase.exe"

  • Afterwards, it connects to the intruder’s servers and wait for their responses:

slade.safehousenumber.com

murik.portal-protection.net.ru

world.rickstudio.ru

banana.cocolands.su

portal.roomshowerbord.com

Following the intruder’s command, it can perform such the actions as:

1) Download its updated version or the other malicious files which it saves to the temporary folder of the current user:

%Temp%

Afterwards, it launches the downloaded files for execution.

2) Infect USB Flash Drives inserted in the user’s PC. The Trojan copies itself to the USB Flash Drive as:

<infected partition name>:\jojot\desigion.exe

To the drive root directory, it places a file which it uses to be launched for execution accessing the infected partition with Windows Explorer:

<infected partition name>:\autorun.inf

3) Receives a list of names of Internet resources to track the user’s search queries and substitutes the results of these queries.

When the description was created, no commands from the intruder’s servers were received.

Removal Recommendations

If you have not used any antivirus program to protect your computer from viruses and it gets infected with this malicious program, follow the steps listed below to remove it:

  1. Using Task Manager (How to End a Process with the Task Manager) terminate the Trojan process (the malicious process differs from the computer processes by the fact that it is run as the current user):
  2. SVCHOST.EXE

  3. Delete the following file:
  4. %UserProfile%\jaase.exe

  5. Delete a system registry key parameter (How to Work with System Registry):
  6. [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

    "Taskman" = "C:\Documents and Settings\test\jaase.exe"

  7. Clean the Temporary Internet Files folder, which contains infected files (How to clean Temporary Internet Files folder):
  8. %Temporary Internet Files%

  9. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).