Security company Qualys says its customers are struggling in a big way to get Win32/Rimecud.B out of their machinery.Britt Gottlieb, who handles PR for the company, told me in an email, “Infections of this malware were first spotted in the second half of 2010, however Qualys’ customers are still calling them because they are having difficulties removing it, even with their anti-virus software. Therefore, Qualys decided to analyze, plus describe some interesting anti-debugging techniques.”The Qualys blog has a detailed analysis, including a number of screen shots to help IT security practitioners know what to look for.Here’s a sample: File: ctfmon.exeMD5: f5f4ec6d780715d713b7e085fd24447c SHA1: f4507f91806aef7bdbbab1047b5ce4d5d6033e6cFile Type: MS Windows Portable Executable fileAmong other things, Qualys said the malware is known to spread via USB drives. On connecting a USB stick to an infected host, the malware drops a copy of itself in the “[RemovableDrive]nemojmeni.exe” and creates an autorun.inf file.The screen shots offer a step-by-step view of how the malware operates on an infected system, and I recommend you have a look.Sign up today.Get your morning news fix with the daily Salted Hash e-newsletter! Qualys suggests the following to remove it:1. Open “Regedit” and locate the above mentioned registry key. Delete this registry key.2. Open “Task Manager” and find explorer.exe in the “Processes” tab. Right click on explorer.exe and select “Kill Process”. If you are comfortable using command line, use the following steps to kill explorer.exe: tasklist | find /i “explorer”This command will give you the process id of explorer.exe process.taskkill /PID 12345 /f(12345 to be substituted with the process id of explorer.exe obtained from the above step)3. Upon doing this you will notice that another process named “ctfmon.exe” appears in the process list. Kill “ctfmon.exe” as well, same way as we killed explorer.exe.4. Browse to the %UserProfile% directory using a command line. Use “dir /ah” command to list all the files in that directory. You should be able to see “ctfmon.exe” file in that directory. This file has “SHR” attribute. Remove these attributes of the file so that you can delete this file. Use the following commands to do this:attrib –S –H –R ctfmon.exedel ctfmon.exe–Bill Brenner Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe