Win32/Zimuse [Threat Name] go to Threat

Win32/Zimuse.A [Threat Variant Name]

Available cleaner [Download Zimuse Cleaner ]

Category worm
Size 195072 B
Detection created Jan 08, 2010
Signature database version 4754
Aliases Trojan.Startpage.G (Symantec)
  Trojan.Generic.1729691 (BitDefender)
  W32/Threat-SysVenFakP-based!Maximus (F-Prot)
Short description

Win32/Zimuse.A is a worm that overwrites MBR (Master Boot Record) of all available drives with its own data. The file is run-time compressed using PECompact .

Installation

When executed, the worm creates the following files:

  • %system%\­drivers\­Mstart.sys (13100 B)
  • %system%\­drivers\­Mseu.sys (18188 B)
  • %system%\­mseus.exe (69632 B)
  • %system%\­tokset.dll  (195072  B)
  • %system%\­ainf.inf (41 B)
  • %programfiles%\­Dump\­Dump.exe (28672 B)
  • %temp%\­Mseu.ini (225 B)
  • %temp%\­mseus.ini (328 B)
  • %temp%\­Instdrv.exe (44552 B)
  • %temp%\­Dump.ini (275 B)
  • %temp%\­Regini.exe (68880 B)

The worm displays the following dialog box:

Installs the following system drivers (path, name):

  • %system%\­drivers\­Mstart.sys, MSTART
  • %system%\­drivers\­Mseu.sys, MSEU

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Dump" = "%programfiles%\­Dump\­Dump.exe"

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_MSTART\­0000\­Control]
    • "*NewlyCreated*" = 0
    • "ActiveService" = "MSTART"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_MSTART\­0000]
    • "Service" = "MSTART"
    • "Legacy" = 1
    • "ConfigFlags" = 0
    • "Class" = "LegacyDriver"
    • "ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • "DeviceDesc" = "MSTART"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_MSTART]
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Mseu]
    • "Type" = 1
    • "Start" = 2
    • "ErrorControl" = 1
    • "Tag" = 1
    • "Group" = "Extended base"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­MSTART\­Enum]
    • "0" = "Root\­LEGACY_MSTART\­0000"
    • "Count" = 1
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­MSTART\­Security]
    • "Security" = "%hex_str%"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­MSTART]
    • "Type" = 1
    • "Start" = 3
    • "ErrorControl" = 1
    • "ImagePath" = "%system%\­drivers\­MSTART.SYS"
    • "DisplayName" = "MSTART"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­UnzipService]
    • "Type" = 272
    • "Start" = 2
    • "ImagePath" = "%system%\­Mseus.exe"
    • "ErrorControl" = 0
    • "DisplayName" = "Self extract service"
    • "ObjectName" = "LocalSystem"
    • "Description" = "Self extract archive decrypt"
    • "ft1" = %datetime1%
    • "ft2" = %datetime2%

A string with variable content is used instead of %datetime1-2% .

Spreading

The worm copies itself into the root folders of the following drives A:\, B:\, C:\, D:\, E:\, F:\, G:\, H:\, I:\, J:\, K:\ using the following name:

  • zipsetup.exe (195072 B)

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Payload information

If the current system date and time matches certain conditions, the worm overwrites the MBR (Master Boot Record) of available drives with its own data.


The worm can also overwrite the entire contents of the drives with its own data.


Example :

The worm displays the following message:

Other information

The worm may delete the following files:

  • C:\­BOOT.INI
  • C:\­NTDETECT.COM
  • C:\­NTLDR
  • C:\­HYBERFILE.SYS
  • C:\­BOOTMGR
  • C:\­BOOTMGR.BAK
  • C:\­BOOTSECT
  • C:\­BOOTSECT.BAK
  • C:\­System Volume Information\­*.*
  • D:\­System Volume Information\­*.*
  • E:\­System Volume Information\­*.*
  • F:\­System Volume Information\­*.*
  • G:\­System Volume Information\­*.*
  • H:\­System Volume Information\­*.*
  • I:\­System Volume Information\­*.*
  • J:\­System Volume Information\­*.*
  • C:\­Documents and Settings\­Administrator\­My Documents\­*.*
  • D:\­Documents and Settings\­Administrator\­My Documents\­*.*
  • E:\­Documents and Settings\­Administrator\­My Documents\­*.*
  • F:\­Documents and Settings\­Administrator\­My Documents\­*.*
  • G:\­Documents and Settings\­Administrator\­My Documents\­*.*
  • H:\­Documents and Settings\­Administrator\­My Documents\­*.*
  • I:\­Documents and Settings\­Administrator\­My Documents\­*.*
  • J:\­Documents and Settings\­Administrator\­My Documents\­*.*
  • C:\­Users\­Administrator\­*.*
  • D:\­Users\­Administrator\­*.*
  • E:\­Users\­Administrator\­*.*
  • F:\­Users\­Administrator\­*.*
  • G:\­Users\­Administrator\­*.*
  • H:\­Users\­Administrator\­*.*
  • I:\­Users\­Administrator\­*.*
  • J:\­Users\­Administrator\­*.*
  • C:\­Documents and Settings\­*.*
  • D:\­Documents and Settings\­*.*
  • E:\­Documents and Settings\­*.*
  • F:\­Documents and Settings\­*.*
  • G:\­Documents and Settings\­*.*
  • H:\­Documents and Settings\­*.*
  • I:\­Documents and Settings\­*.*
  • J:\­Documents and Settings\­*.*
  • C:\­Users\­*.*
  • D:\­Users\­*.*
  • E:\­Users\­*.*
  • F:\­Users\­*.*
  • G:\­Users\­*.*
  • H:\­Users\­*.*
  • I:\­Users\­*.*
  • J:\­Users\­*.*
  • %systemroot%\­system32\­drivers\­*.*
  • %systemroot%\­system32\­CONFIG\­*.*
  • %systemroot%\­system32\­*.*

Please enable Javascript to ensure correct displaying of this content and refresh this page.