Concrete signature match: Worm - Self-replicating malware for 32-bit Windows platform, family Rimecud
This is a concrete detection of Worm:Win32/Rimecud.B, a malicious program designed to self-propagate across networks and removable media. It primarily spreads via USB drives (leveraging autorun features), peer-to-peer networks, and instant messaging platforms like MSN, indicating a high potential for widespread infection.
Relevant strings associated with this threat: - USB spreader running (PEHSTR_EXT) - |#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID) - }#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID) - |#75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 (NID) - }#75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 (NID) - &|#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID) - &}#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID) - y*|#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID) - y*}#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID) - C|#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID) - C}#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID) - L|#3b576869-a4ec-4529-8536-b80a7769e899 (NID) - L}#3b576869-a4ec-4529-8536-b80a7769e899 (NID) - |#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID) - }#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID) - |#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID) - }#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID) - |#d3e037e1-3eb8-44c8-a917-57927947596d (NID) - }#d3e037e1-3eb8-44c8-a917-57927947596d (NID) - |#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID) - }#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID)
rule Worm_Win32_Rimecud_B_2147622942_0
{
meta:
author = "threatcheck.sh"
detection_name = "Worm:Win32/Rimecud.B"
threat_id = "2147622942"
type = "Worm"
platform = "Win32: Windows 32-bit platform"
family = "Rimecud"
severity = "Critical"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "5"
strings_accuracy = "Low"
strings:
$x_2_1 = {74 3d e8 00 00 00 00 5e 83 c6 ?? b9 ?? ?? ?? ?? 2b e1 83 ec ?? 8a 43 01 8a ?? 02 f6 d0 02 ?? d0 f8 8a ?? 0e 02 ?? 32 ?? ?? ?? 88 ?? 0c ff e2 f1} //weight: 2, accuracy: Low
$x_2_2 = {64 8b 0d 30 00 00 00 8b 59 68 89 9d ?? ?? ff ff 8b ?? ?? ?? ff ff 83 ?? 70 74 07} //weight: 2, accuracy: Low
$x_2_3 = {8b 45 f8 83 c0 01 89 45 f8 81 7d f8 fa ff ff 0f 74 02 eb ec} //weight: 2, accuracy: High
$x_2_4 = {c6 01 2e 8b 55 10 03 55 f8 c6 42 01 65 8b 45 10 03 45 f8 c6 40 02 78 8b 4d 10 03 4d f8 c6 41 03 65} //weight: 2, accuracy: High
$x_1_5 = "[AuToRuN]" ascii //weight: 1
$x_1_6 = "P2P Copy to:" ascii //weight: 1
$x_1_7 = "MSN spreader running" ascii //weight: 1
$x_1_8 = "USB spreader running" ascii //weight: 1
$x_1_9 = "Flood running" ascii //weight: 1
condition:
(filesize < 20MB) and
(
((5 of ($x_1_*))) or
((1 of ($x_2_*) and 3 of ($x_1_*))) or
((2 of ($x_2_*) and 1 of ($x_1_*))) or
((3 of ($x_2_*))) or
(all of ($x*))
)
}3ee0fbdb66ac72b439a92b803e4e3390e3b59b4ab43f0cbdb5353d863c70bc65Immediately isolate any detected systems. Perform a full scan with up-to-date Windows Defender to ensure complete removal. Disable autorun features, apply all available operating system and software updates, and reinforce security awareness regarding suspicious files and the safe handling of removable media.