In January this year, the MMPC added Win32/Rimecud to MSRT's removal capability. As previously discussed by Marian, this worm propagates mainly via removable devices, IM, and P2P channels; and utilizes backdoor functionality to communicate with a C&C server. It differs from other bots in that it does not use a standard IRC protocol for its command and control functions. Between January and February this year the MSRT alone reported over 1 million distinct machines disinfected from this worm.

Family
Threat Count
Computers cleaned
Win32/Rimecud
1,183,728
1,031,097

The Mariposa botnet criminals presumably use a number of different threats, but it appears to be primarily Win32/Rimecud. It is great to see our industry colleagues moving in the same direction to address these disruptive threats. Rimecud isn't particularly new and the criminals apparently were trading their goodies at their counter. We first observed Win32/Rimecud in November 2008.

Win32/Rimecud reports prior to inclusion in MSRT

As a result of this monitoring and other assessment, we added Rimecud to the MSRT detection list in January. Here is what the MSRT has reported since January this year.

Win32/Rimecud distribution per country/region according to MSRT

The Mariposa botnet criminals also used Win32/Rimecud to further compromise controlled computers by installing additional malware. In reality, this was likely to include several different malware families, but it's been reported that Rimecud may at least have been used to download and install Win32/Tofsee. Microsoft antimalware products such as Microsoft Security Essentials detects this threat.

Many thanks to my colleagues Patrick, Jimmy, and Joe for their insights on the threat event.

Scott Wu -- MMPC