by Atlantis on April 17th, 2012 in Malware Descriptions.

Detect: Trojan.Win32.Rimecud.m
Platform: Win32
Type: Trojan
Size: 140288 bytes
Packer: unknown
Unpacked size: ~81KB
Language: C++
md5: 5A9A4024F263E0D79C8CF9381DCDF06A
sha1: 0C1C857386D7C2A4BF3C62CC69C110D38D35045F


It is a Trojan program which performs destructive activities on the User PC.

Technical Details


To deceive a PC user, the Trojan program icon is designed to look like the Windows Explorer icon. Its file properties are as follows:


Trend Micro Inc.

Legal Trademarks:

Copyright (C) Trend Micro Inc.

Product Name:

Trend Micro Internet Security

The Trojan creates a process named "SVCHOST.EXE" and injects a malicious code as well as its original body location in it.

The malicious code performs the following actions:

  • To control the uniqueness of its process in the system, the Trojan creates a unique identifier with the following name:


  • Copies itself to the directory as:


With that, it sets the following attributes to the file: read-only, hidden and system.

  • Keeps handle open on the "%UserProfile%\jaase.exe" file and thus not allowing to delete it.
  • To be automatically launched, the Trojan adds a link to its executable file in the system registry autorun key upon each Windows startup:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"Taskman" = "C:\Documents and Settings\test\jaase.exe"

  • Afterwards, it connects to the intruder’s servers and wait for their responses:

Following the intruder’s command, it can perform such the actions as:

1) Download its updated version or the other malicious files which it saves to the temporary folder of the current user:


Afterwards, it launches the downloaded files for execution.

2) Infect USB Flash Drives inserted in the user’s PC. The Trojan copies itself to the USB Flash Drive as:

<infected partition name>:\jojot\desigion.exe

To the drive root directory, it places a file which it uses to be launched for execution accessing the infected partition with Windows Explorer:

<infected partition name>:\autorun.inf

3) Receives a list of names of Internet resources to track the user’s search queries and substitutes the results of these queries.

When the description was created, no commands from the intruder’s servers were received.

Removal Recommendations

If you have not used any antivirus program to protect your computer from viruses and it gets infected with this malicious program, follow the steps listed below to remove it:

  1. Using Task Manager (How to End a Process with the Task Manager) terminate the Trojan process (the malicious process differs from the computer processes by the fact that it is run as the current user):

  3. Delete the following file:
  4. %UserProfile%\jaase.exe

  5. Delete a system registry key parameter (How to Work with System Registry):
  6. [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

    "Taskman" = "C:\Documents and Settings\test\jaase.exe"

  7. Clean the Temporary Internet Files folder, which contains infected files (How to clean Temporary Internet Files folder):
  8. %Temporary Internet Files%

  9. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).
No votes yet


Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now