HOME > VIRUS ALERTS


VIRUS ALERTS

Mariposa Botnet / Worm Rimecud

Original issue date: December 23, 2009
Updated: April 05, 2010

Win32/Rimecud is a family of worm spreads via fixed and removable drives, P2P networks, network share and instant messaging. The threat is otherwise widely known as Mariposa Botnet.

This worm contains an IRC-based backdoor, which may be used by a remote attacker to order the affected machine to perform Distributed Denial of Service attacks, initiate TCP-SYN flood attacks to remote hosts ,steal information ,or to download and execute arbitrary files.

Apart from the infection vectors listed above , the worm known to have take advantage of the authentication bypass vulnerability in RealVNC (CVE-2006-2369) to compromise a system.

Aliases:

WORM_AUTORUN.ELS (Trend), W32/Autorun.worm.zx (McAfee), W32/Autorun-AIC (Sophos), Proxy-Piky.dr (McAfee), Win32/Rimecud.E, Win32/Rimecud.O, Win32/Rimecud.W, W32.SillyFDC (Symantec), P2P-Worm.Win32.Palevo.ann (Kaspersky), Worm:Win32/Rimecud.A (MS OneCare), Worm:Win32/Rimecud.B (MS OneCare)

  • Injects code into the explorer. exe processes and terminate itself
  • Creates folder \RECYCLER\S-1-5-21-RANDOM NAME\ random file names. The names can be

    bfb.exe,dllrun32.exe,glps.exe,hd1.exe, hdav.exe,
    lpezobradr.exe,msimfo32.exe, nissan.exe, ramz.exe,
    rundll32.exe, sucursal.exe,svchost.exe, sysdata.exe,
    sysdate.exe,thumbcache_131.exe, twain_x86.exe,
    usbv.exe,windll.exe, wingn.exe, winigon.exe,
    winlogon.exe, winmap.exe, winmap32.exe, winvcs.exe,
    wmiprvse.exe, wnzip32.exe

  • Creates the registry entries
    • HKLM\SOFTWARE\Microsoft\Windows NT\
      CurrentVersion\WinlogonTaskman = "C:\
      RECYCLER\{Random CLSID}\{Random Filename}"
    • HKCU\Software\Microsoft\Windows\CurrentVersion\
      RunActualizacion = "C:\RECYCLER\{Random CLSID}\ {Random Filename}"
    • HKCU\Software\Microsoft\Windows\CurrentVersion\
      Run12CFG94-z641-2SF-N31P-5M1ER6H6L1 = "C:\RECYCLER\ {Random CLSID}\{Random Filename}"
    • HKCU\Software\Microsoft\Windows\CurrentVersion\
      RunWindows Video Drivers = "C:\RECYCLER\
      {Random CLSID}\{Random Filename}"
    • HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
      WinlogonShell = "explorer.exe {Malware Path}"

  • spreads via,
    • Fixed and removable drives

      enumerates all drives from B: to Z: and searching for fixed and removable drives and copies itself to the root directory of the located drive and creates an autorun.inf ( Win32.Rimecud!inf )file to execute the copy.


    • instant messaging

      spreads via Yahoo Messenger, ICQ, AIM, Skype, MSN messaging application by sending malware link to all user contacts.
    • P2P file sharing programs

      copies in the folders belonging to  P2P file sharing programs, such as iMesh, Shareazza, Kazza, DC++, Bearshare eMule. etc

  • Attempts to connect to any the following IRCserver
    • irc.eki[removed].com
    • zone.armi[removed]ue.com
    • story.dnse [removed].com
    • Bfisb[removed].org
    • Butte[removed].es
    • San[removed]ica.com
    • Bu[removed].biz
    • Qwer[removed].es
    • mx5.nadnad[removed].info
    • mx5.channeltrb[removed]b.com
    • mx5.k[removed]2.com

In view of rapid propagation of the Rimecud worm , users are advised to implement the following countermeasures:

  • Search for the malicious files ,registry entries created Rimecud worm and delete the same
  • Install and maintain an updated anti-virus software at gateway and desktop level
  • Use caution when opening attachments and accepting file transfers
  • Keep up-to-date on patches and fixes on the operating system and above mentioned vulnerabilities
  • Disable autorun.
  • Install and maintain Firewall at Desktop level
  • Block the IRC service and related ports ,if not required

References

http://www.microsoft.com/security/portal/Threat/Encyclopedia/
Entry.aspx?Name=Worm%3aWin32%2fRimecud
http://www.microsoft.com/security/portal/Threat/Encyclopedia/
Entry.aspx?Name=Worm%3aWin32%2fRimecud!inf
http://www.microsoft.com/security/portal/Threat/Encyclopedia/
Entry.aspx?Name=Worm%3aWin32%2fRimecud.E
http://vil.nai.com/vil/content/v_237984.htm
http://www.bitdefender.com/VIRUS-1000559-en--Win32.
Worm.Rimecud.C.html
http://research.pandasecurity.com/security/mariposa/
http://threatinfo.trendmicro.com/vinfo/virusencyclo/
default5.asp?VName=WORM_PALEVO.SMZR&VSect=T
http://pandalabs.pandasecurity.com/mariposa-botnet/
http://blogs.technet.com/mmpc/archive/2010/03/04/
in-focus-mariposa-botnet.aspx

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003