Coinciding with its monthly patch cycle, Microsoft is also updating the Windows Malicious Software Removal Tool equipping the security solution to hunt down for additional pieces of malware. Win32/Rimecud is the first malicious code sample added to MSRT in 2010, a rather prevalent family of worms, with a shared pedigree which makes it uncomfortably similar to a family of worms which was added to MSRT in December 2009, namely Hamweq. Marian Radu, from the Microsoft Malware Protection Center speculated that both Win32/Hamweq and Win32/Rimecud might have the same “father,” judging by the similarities between the two.
“Win32/Rimecud is a family of worms that spreads via fixed and removable drives, instant messaging programs, and P2P networks. Similar to Hamweq, it also contains backdoor functionality that allows unauthorized access to affected machines. However, compared to Hamweq, Win32/Rimecud's backdoor supports a more diverse and sophisticated set of commands, giving the remote attacker greater control of the compromised machine,” Radu stated.
According to information provided by Microsoft, Hamweq’s malicious payload downloaded after the worm compromises a certain machine can also contain Rimecud. This is yet another clue pointing to the fact that the two malware samples are in fact related. And of course, the similarities don’t stop here. However, one of the most important factors that contributed to the addition of Rimecud to MSRT is the worm’s high detection numbers, almost as high as Hamweq’s.
“Win32/Rimecud uses a variety of obfuscators to hinder detection. These are written in C/C++/Delphi/Visual Basic and usually have virtual environment detection and anti-emulation tricks to make the malware harder to detect,” Radu added. “Other similarities to Win32/Hamweq's behavior include using the Recycle Bin as the target drop folder for copies of itself, injecting code into the explorer.exe process and the capability to spread via removable drives.”
The Windows Malicious Software Removal Tool is available for download here.