Trojan.Win32.Rimod.b

by Atlantis on May 21st, 2012 in Malware Descriptions.

Platform: Win32
Type: Worm
Size: 73938 bytes
Language: Visual Basic
MD5: 030D70062F0D16D918DFA5ADFDFEE857
SHA1: 33217329687F29A3C8393C52AAB656DABB4E5BCE

Summary

Trojan.Win32.Rimod.b is a worm which copies itself to the local drives of the infected computer.

Technical Details

Propagation

Once launched, the worm recursively scans folders on the local drives of the infected computer. It copies itself to each folder with one of the following names:

backup.exe
data.exe
System Restore.exe
update.exe

In an attempt to defeat antivirus program signaturess, it writes 2 random bytes to the end of each copy:

Being modified, each copy is launched for execution and keeps infecting files of the parent catalog hierarchy.

The malware runs automatically itself:

%USERPROFILE%\Start Menu\Programs\Startup
%ALLUSERSPROFILE%\Start Menu\Programs\Startup

Payload

Once launched, the malware performs the following actions:

  • Changes the registry key values:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState]
"FullPath" = "1"

As a result, the full path is displayed in the Windows Explorer.

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"
"Hidden" = "2"

Extensions for the registered file types are hidden, files with hidden and system attributes are not displayed in the Windows Explorer.

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions" = "1"

 [HKLM\Software\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoFolderOptions" = "1"

Thus, the malware hides “Properties” on the context menu in the Windows Explorer.

  • Creates an archive with the following name in its catalog:

%WorkDir%\<current user name>.zip (22658 bytes)

which contains its original file. The hidden attribute is assigned to the created file.

  • Shows the following message:

Removal Recommendations

  1. Restart the computer in safe mode (press and hold the F8 key as the computer restarts, and then select “Safe Mode” on the boot menu).
  2. Delete the malware copies:

  3. %USERPROFILE%\Start Menu\Programs\Startup
    %ALLUSERSPROFILE%\Start Menu\Programs\Startup

  4.  Reboot a computer.
  5. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).
  6. Restore the default values of the registry key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState]
"FullPath" 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt"
"Hidden" 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions" 

[HKLM\Software\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoFolderOptions"