Sign in
Microsoft Malware Protection Center
Threat Research & Response Blog
Home
About
View More Blogs
Ecosystem Strategy Blog
Microsoft Accessibility Blog
Microsoft BlueHat Blog
Microsoft Malware Protection Center Blog
Microsoft Security Blog
Microsoft Security Response Center Blog
Security Development Lifecycle Blog
Security Research & Defense Blog
Security Tips & Talk Blog
Trustworthy Computing Blog
Resources
Partner
Microsoft Safety Scanner
Microsoft Security Response Center
Microsoft Security Essentials
Microsoft Forefront
Windows Defender
Microsoft AntiSpam
MMPC
Microsoft Malware Protection Center
Microsoft Security Intelligence Report
TechNet Blogs
>
Microsoft Malware Protection Center
>
Rimecud and Hamweq - birds of a feather
Share Article
Follow Us
RSS for Posts
@msftmmpc
facebook
Security@Microsoft
Security Newsletter
TwC Blogs Windows Phone Application
Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Twitter @msftmmpc
Rimecud and Hamweq - birds of a feather
Rimecud and Hamweq - birds of a feather
mmpc2
12 Jan 2010 3:11 PM
Comments
0
Following the addition of
Win32/Hamweq
to the MSRT last month, MMPC will continue cleaning PCs in 2010 by adding another prevalent worm,
Win32/Rimecud
, to this month's removal tool.
This is due not only to Win32/Rimecud's high detection numbers, which immediately follow those of Win32/Hamweq, but also to the similarities the two families share with each other.
In fact, as part of its payload, Win32/Hamweq may download Win32/Rimecud, contributing to Rimecud's suitability as the next target for MSRT.
Win32/Rimecud is a family of worms that spreads via fixed and removable drives, instant messaging programs, and P2P networks. Similar to Hamweq, it also contains backdoor functionality that allows unauthorized access to affected machines. However, compared to Hamweq, Win32/Rimecud's backdoor supports a more diverse and sophisticated set of commands, giving the remote attacker greater control of the compromised machine.
Win32/Rimecud uses a variety of obfuscators to hinder detection. These are written in C/C++/Delphi/Visual Basic and usually have virtual environment detection and anti-emulation tricks to make the malware harder to detect.
Other similarities to Win32/Hamweq's behavior include using the Recycle Bin as the target drop folder for copies of itself, injecting code into the explorer.exe process and the capability to spread via removable drives.
By looking at the similarities between the two threats we could speculate that they were created by the same author(s). Like they say: "Birds of a feather".
For more technical details about Win32/Rimecud please check our encyclopedia description
here
.
-Marian Radu