HOME > VIRUS ALERTS


VIRUS ALERTS

Worm:W32/Zimuse

Original issue date: January 27, 2010

It has been reported that variants of worm Zimuse is pervasive which performs destructive overwrite of the Master Boot record(MBR) of the disk drives on the infected system.

The worm spreads by embedding in legitimate websites in the form of self-unpacking ZIp file or as an IQ test program, or via Exchangeable media such as USB devices.

Aliases:

Worm:Win32/Zumes.A (Microsoft), W32/Zimuse(McAfee,
Symantec),Trojan.Generic.1729691 (BitDefender), W32/Threat-SysVenFakP-based!Maximus (F-Prot)

Up on execution the worm:

  • Displays a fake WINZIP dialogue box:

  • Crates the following directories
    • C:\IQTEST
    • %ProgramFiles%\Dump

  • drops the following files
    • %windir%\system32\drivers\Mstart.sys
    • %ProgramFiles%\Dump\Dump.exe
    • %windir%\system32\drivers\Mseu.sys
    • %windir%\system32\tokset.dll
    • %windir%\system32\ainf.inf
    • %SystemDrive%\IQTEST\Iqtest.exe
    • %windir%\system32\Mseus.exe

  • Drops the following non-malicious file and opens the explorer window to show the contents:
    • C:\IQTEST\Iqtest.exe
    • C:\IQTEST\Readme

  • Install the following system drivers
    • %system%\drivers\Mstart.sys, MSTART
    • %system%\drivers\Mseu.sys, MSEU

  • Create the registry values
    • HKLM\System\CurrentControlSet\Services\
      EventLog\System\MSTART
    • HKLM\System\CurrentControlSet\Services\
      MSTART
    • HKLM\System\CurrentControlSet\Services\
      MSTART\Security
    • HKLM\System\CurrentControlSet\Services\
      Mseu
    • HKLM\system\currentcontrolset\services\
      UnzipService
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
      Windows\CurrentVersion\Run\ "Dump" =
      "%ProgramFiles%\Dump\Dump.exe"

  • Drops a copy of the worm(zipsetup.exe ,197052 B) and an autorun.inf file in to the root directory of all drives if the system time and date meets a certain condition

  • If the current system date and time matches with a particular condition it overwrites the MBR and displays the following message and make the system unbootable on the next boot

 

In view of rapid propagation of the Zimuse worm , users are advised to implement the following countermeasures:

  • Use task manager or process explorer to kill the "MSEUS.EXE" process.
  • Search for the malicious files ,registry entries created worm and delete the same
  • Delete all instances of zipsetup.exe on root folders as well as the autorun.inf
  • Install and maintain an updated anti-virus software at gateway and desktop level
  • Use caution when opening attachments and accepting file transfers
  • Disable autorun.
  • Keep up-to-date on patches and fixes on the operating system and above mentioned vulnerabilities
  • Install and maintain Firewall at Desktop level
  • Use caution when clicking on links to Web pages

References

http://vil.nai.com/vil/content/v_254683.htm
http://www.symantec.com/security_response/writeup.jsp?
docid=2010-012301-1138-99&tabid=2
http://www.threatexpert.com/report.aspx?md5=63a6a43f94c
06334e3b9249d374b8114
http://www.f-secure.com/v-descs/worm_w32_zimuse_a.shtml

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003