WORM_RIMECUD

 Analysis by: Dianne Lagrimas

 ALIASES:

Dorkbot, Hamweq, Kolab, Rimecud, Graftor, Tofsee, Ruskill, Ngrbot

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Propagates via removable drives, Downloaded from the Internet, Propagates via software vulnerabilities, Propagates via instant messaging applications, Propagates via social networking sites


The IRCBOT malware family uses Internet Relay Chat (IRC) to send and receive commands from a bot master that operates each specific variant. IRCBOT malware are known to propagate via removable drives using software vulnerabilities. IRCBOT also used instant messaging programs like Yahoo! Messenger, MSN Messenger, and Windows Live Messenger.

This malware family has been around since 2005.

In 2010, an IRCBOT botnet dubbed as the “Chuck Norris” botnet emerged in the threat landscape. It targets vulnerable routers and DSL modems to propagate a worm, detected as WORM_IRCBOT.ABJ. Later that year, newer variants have used Facebook and Myspace to spread to other systems.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Connects to URLs/IPs

Installation

This worm drops the following copies of itself into the affected system:

  • %System Root%\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013\acleaner.exe
  • %User Profile%\Application Data\Ciwuww.exe
  • %User Profile%\Application Data\Fhwuwz.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It drops the following files:

  • %System Root%\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

  • %System Root%\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Taskman = "%System Root%\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013\acleaner.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Ciwuww = "%User Profile%\Application Data\Ciwuww.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Fhwuwz = "%User Profile%\Application Data\Fhwuwz.exe"

Other Details

This worm connects to the following possibly malicious URL:

  • fanta.{BLOCKED}er.com
  • haso.{BLOCKED}g.com
  • http://{BLOCKEDe.com/dl/143405707/43967b3/1c1.com
  • http://{BLOCKED}e.com/dl/147117570/df10b90/125.gif.exe
  • http://{BLOCKED}e.com/dl/148475728/eb6b618/x1010.exe
  • http://img103.{BLOCKED}h.com/2012/02/26/671531634.gif
  • http://img105.{BLOCKED}h.com/2012/02/26/306561211.gif
  • http://s530.{BLOCKED}le.com/get/{random}/{random}/2/8bf8cc5ef4a9bd85/8d98f50/x1010.exe
  • http://s679.{BLOCKED}le.com/get/{random}/{random}/2/c5cf22b016e0ae9a/8d98f09/botupx.exe
  • http://{BLOCKED}le.com/dl/139880406/883ef46/botxxxx1-2.exe
  • http://{BLOCKED}le.com/dl/148475657/93df7e1/botupx.exe
  • magazin.{BLOCKED}bila.com
  • matea.{BLOCKED}g.com
  • ng.{BLOCKED}llone.com
  • ng.{BLOCKED}oan.com
  • ng.{BLOCKED}opperz11.com
  • ng.{BLOCKED}ousez11.com
  • ng.{BLOCKED}tbaby.com
  • ngrbck0.{BLOCKED}van.info
  • ngrbck1.{BLOCKED}cija-reality.co.cc
  • ngrbck2.{BLOCKED}oup.co.za
  • niggers.{BLOCKED}s.ru
  • tamara.{BLOCKED}le-cache.com
  • av.{BLOCKED}c.cz
  • av.{BLOCKED}en.cc
  • bt1.{BLOCKED}a.com
  • bt1.{BLOCKED}um.com
  • bt1.{BLOCKED}y.com
  • dl.{BLOCKED}k.com
  • up.{BLOCKED}at.org
  • up.{BLOCKED}ek.net
  • up.{BLOCKED}idic.net
  • up.{BLOCKED}s.in
  • up.{BLOCKED}y.in
  • xD.{BLOCKED}x.com
  • {BLOCKED}01.com
  • {BLOCKED}02.com
  • {BLOCKED}03.com
  • {BLOCKED}pwnme.net
  • {BLOCKED}t.ru
  • {BLOCKED}ud.com
  • {BLOCKED}v.info
  • {BLOCKED}v.info