“rememberthistime” New Malware In the Wild

Today morning I got a mail from a friend of mine with the following content.

“I ran into some of your old friends the other day, they wanted me to

send you this.”
The email contained an attachement named “rememberthistime.rar”
 
It seemed a legitimate mail in first glance, opening the rar file, I have found a an application seemed to be a screen saver named “rememberthistime.scr”. Though it is highly possible that the friend would have compiled a screen saver with old photos, I have the policy of not opening executable file from emails, no matter what it claims to be, so didn’t bother to open it.Soon he send another mail saying that,it is a virus.He accidentally opened the attachement, which made his firefox to crash.And later only realised that email has been send to all the contacts in his account.
Google search about the file confirmed the suspicion, with reports from many people saying that they had the same problem.It seems to be a new virus as it is not detected by many antivirus products. (See the report from Virustotal) only 17 out 41 product detects it.Especially Avast and AVG, commonly used free antivirus products couldn’t detect it, which leads to the wide spread.
As of now I couldn’t find much information about the behavior and removal of this particular malware.
I have done a quick analysis of the binary.For the exact details go through the links ( Anubis,ThreatExpert)

To summarize the findings

1. It creates a startup registry entry as well as following executable  are copied into Windows directory “services.exe” and “UNSTALVTB16.exe”
2. Following process were created by the it “errdlg.exe”,”SoundMan16.exe”, SoundMan32.exe”,”services.exe”

Removal Instructions

1. If you have accidentally clicked on the file, immediately logg off from all the signed in accounts, as it seems the malware uses  signed in credentials to send mails to all your contacts like gmail,yahoo etc..

2.Open the task manager and end the above processes if exists.

3.Open regedit, find and delete the following entries “HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}“, “HKEY_LOCAL_MACHINESOFTWAREApplication.exe“,”HKEY_LOCAL_MACHINESOFTWAREApplication.exeApplication

4.Delete the files “services.exe” and “UNSTALVTB16.exe” inthe Windows directory

5.Update the antivirus you currently uses and do a full system scan.

6.Its a good idea to install BitDefender/SpyBot S&D/Kaspersky and do a full system scan as it is known to detect and remove this malware.

Hope this will help someone to remove the malware in time before it does further damages.

[Update just now got the analysis from Joebox, upon execution the malware seems to produce an error like this]

This entry was posted in Security and tagged , , , . Bookmark the permalink.

3 Responses to “rememberthistime” New Malware In the Wild

  1. Joseph says:

    Mucha nice article once again. I had read a Sameer blog about the same topic. But this is better!

  2. @jojo..thanx again 🙂

  3. arun says:

    After changing the above said changes, will firefox function properly??

Comments are closed.