• United States



Rimecud.B: The malware that won’t go away

May 10, 20112 mins
Data and Information Security

Security company Qualys says its customers are struggling in a big way to get Win32/Rimecud.B out of their machinery.

Britt Gottlieb, who handles PR for the company, told me in an email, “Infections of this malware were first spotted in the second half of 2010, however Qualys’ customers are still calling them because they are having difficulties removing it, even with their anti-virus software. Therefore, Qualys decided to analyze, plus describe some interesting anti-debugging techniques.”

The Qualys blog has a detailed analysis, including a number of screen shots to help IT security practitioners know what to look for.

Here’s a sample:

File: ctfmon.exe

MD5: f5f4ec6d780715d713b7e085fd24447c

SHA1: f4507f91806aef7bdbbab1047b5ce4d5d6033e6c

File Type: MS Windows Portable Executable file

Among other things, Qualys said the malware is known to spread via USB drives. On connecting a USB stick to an infected host, the malware drops a copy of itself in the “[RemovableDrive]nemojmeni.exe” and creates an autorun.inf file.

The screen shots offer a step-by-step view of how the malware operates on an infected system, and I recommend you have a look.

Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!

Qualys suggests the following to remove it:

1. Open “Regedit” and locate the above mentioned registry key. Delete this registry key.

2. Open “Task Manager” and find explorer.exe in the “Processes” tab. Right click on explorer.exe and select “Kill Process”. If you are comfortable using command line, use the following steps to kill explorer.exe:

tasklist | find /i “explorer”

This command will give you the process id of explorer.exe process.

taskkill /PID 12345 /f

(12345 to be substituted with the process id of explorer.exe obtained from the above step)

3. Upon doing this you will notice that another process named “ctfmon.exe” appears in the process list. Kill “ctfmon.exe” as well, same way as we killed explorer.exe.

4. Browse to the %UserProfile% directory using a command line. Use “dir /ah” command to list all the files in that directory. You should be able to see “ctfmon.exe” file in that directory. This file has “SHR” attribute. Remove these attributes of the file so that you can delete this file. Use the following commands to do this:

attrib –S –H –R ctfmon.exe

del ctfmon.exe

–Bill Brenner