Win32/Zimuse [Threat Name] go to Threat

Win32/Zimuse.C [Threat Variant Name]

Category worm
Size 2674688 B
Detection created Jan 10, 2013
Detection database version 7881
Short description

Win32/Zimuse.C is a worm that spreads via shared folders and removable media.

Installation

When executed, the worm creates the following files:

  • %windir%\­System32\­drivers\­Repod.sys (7656 B)
  • %windir%\­System32\­drivers\­Fw.sys (11032 B)
  • %windir%\­System32\­fws.exe (233529 B)
  • %windir%\­System32\­ftp2.exe (1155072 B)
  • %windir%\­System32\­zv.pdf (347049 B)
  • %windir%\­System32\­vi.pdf (471770 B)
  • %windir%\­System32\­vo.pdf (71021 B)
  • %programfiles%\­CAB\­Cab.exe (28672 B)
  • %programfiles%\­CAB\­pesc.exe (98304 B)
  • %programfiles%\­CAB\­zv.pdf (347049 B)
  • %programfiles%\­CAB\­vi.pdf (471770 B)
  • %programfiles%\­CAB\­vo.pdf (71021 B)
  • %temp%\­Instdrv.exe (44552 B)
  • %temp%\­Regini.exe (68880 B)
  • %temp%\­fws.ini (290 B)
  • %temp%\­Fw.ini (223 B)

The worm copies itself to the following locations:

  • %programfiles%\­CAB\­fwset.exe

The worm may create the following files:

  • C:\­User program Files\­Cab\­Cab.exe (28672 B)
  • C:\­User program Files\­Cab\­svchost.exe (1155072 B)
  • C:\­User program Files\­Cab\­zv.pdf (347049 B)
  • C:\­User program Files\­Cab\­vi.pdf (471770 B)
  • C:\­User program Files\­Cab\­vo.pdf (71021 B)
  • %programfiles%\­Cab\­svchost.exe
  • %programfiles%\­Cab\­kbdsl1.dll (6656 B)
  • %programfiles%\­Cab\­kbdsl.dll (6656 B)
  • %programfiles%\­Cab\­kbdus.dll (5632 B)

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Cab" = "%programfiles%\­Cab\­Cab.exe"
    • "Cabi" = "%programfiles%\­Cab\­Svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "svchst" = "%programfiles%\­Cab\­svchost.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Fwsrv]
    • "Type" = 272
    • "Start" = 2
    • "ImagePath" = "System32\­Fws.exe"
    • "ErrorControl" = 0
    • "DisplayName" = "Fw service"
    • "ObjectName" = "LocalSystem"
    • "Description" = "Fw system"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Fw]
    • "Type" = 1
    • "Start" = 2
    • "ErrorControl" = 1
    • "Tag" = 1
    • "Group" = "Extended base"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­HideFileExt]
    • "CheckedValue" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­Hidden\­SHOWALL]
    • "CheckedValue" = 0
Spreading

Win32/Zimuse.C is a worm that spreads via shared folders and removable media.


The following filename is used:

  • %removabledrive%\­What's new.exe
  • %sharedfolder%\­What's new.exe

The following file is dropped in the same folder:

  • zv.pdf (347049 B)
Information stealing

The worm collects the following information:

  • network adapter information
  • environment variables
  • computer name
  • user name
  • computer IP address
  • information about the operating system and system settings

The worm attempts to send gathered information to a remote machine.

Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm contains an URL address. The HTTP, FTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send the list of files on specific drive to a remote computer
  • capture webcam video/voice
  • log keystrokes
  • send files to a remote computer
  • update itself to a newer version
  • show fake alerts
  • shut down/restart the computer

The worm may delete files stored in the following folders:

  • C:\­System Volume Information\­
  • D:\­System Volume Information\­
  • E:\­System Volume Information\­
  • F:\­System Volume Information\­
  • G:\­System Volume Information\­
  • H:\­System Volume Information\­
  • I:\­System Volume Information\­
  • J:\­System Volume Information\­

The worm may cause the operating system to crash.

Please enable Javascript to ensure correct displaying of this content and refresh this page.