Win32/Zimuse [Threat Name] go to Threat
Win32/Zimuse.A [Threat Variant Name]
Available cleaner [Download Zimuse Cleaner ]
Category | worm |
Size | 195072 B |
Aliases | Trojan.Startpage.G (Symantec) |
Trojan.Generic.1729691 (BitDefender) | |
W32/Threat-SysVenFakP-based!Maximus (F-Prot) |
Short description
Win32/Zimuse.A is a worm that overwrites MBR (Master Boot Record) of all available drives with its own data. The file is run-time compressed using PECompact .
Installation
When executed, the worm creates the following files:
- %system%\drivers\Mstart.sys (13100 B)
- %system%\drivers\Mseu.sys (18188 B)
- %system%\mseus.exe (69632 B)
- %system%\tokset.dll (195072 B)
- %system%\ainf.inf (41 B)
- %programfiles%\Dump\Dump.exe (28672 B)
- %temp%\Mseu.ini (225 B)
- %temp%\mseus.ini (328 B)
- %temp%\Instdrv.exe (44552 B)
- %temp%\Dump.ini (275 B)
- %temp%\Regini.exe (68880 B)
The worm displays the following dialog box:
Installs the following system drivers (path, name):
- %system%\drivers\Mstart.sys, MSTART
- %system%\drivers\Mseu.sys, MSEU
In order to be executed on every system start, the worm sets the following Registry entry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "Dump" = "%programfiles%\Dump\Dump.exe"
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSTART\0000\Control]
- "*NewlyCreated*" = 0
- "ActiveService" = "MSTART"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSTART\0000]
- "Service" = "MSTART"
- "Legacy" = 1
- "ConfigFlags" = 0
- "Class" = "LegacyDriver"
- "ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
- "DeviceDesc" = "MSTART"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSTART]
- "NextInstance" = 1
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mseu]
- "Type" = 1
- "Start" = 2
- "ErrorControl" = 1
- "Tag" = 1
- "Group" = "Extended base"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTART\Enum]
- "0" = "Root\LEGACY_MSTART\0000"
- "Count" = 1
- "NextInstance" = 1
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTART\Security]
- "Security" = "%hex_str%"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTART]
- "Type" = 1
- "Start" = 3
- "ErrorControl" = 1
- "ImagePath" = "%system%\drivers\MSTART.SYS"
- "DisplayName" = "MSTART"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UnzipService]
- "Type" = 272
- "Start" = 2
- "ImagePath" = "%system%\Mseus.exe"
- "ErrorControl" = 0
- "DisplayName" = "Self extract service"
- "ObjectName" = "LocalSystem"
- "Description" = "Self extract archive decrypt"
- "ft1" = %datetime1%
- "ft2" = %datetime2%
A string with variable content is used instead of %datetime1-2% .
Spreading
The worm copies itself into the root folders of the following drives A:\, B:\, C:\, D:\, E:\, F:\, G:\, H:\, I:\, J:\, K:\ using the following name:
- zipsetup.exe (195072 B)
The following file is dropped in the same folder:
- autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Payload information
If the current system date and time matches certain conditions, the worm overwrites the MBR (Master Boot Record) of available drives with its own data.
The worm can also overwrite the entire contents of the drives with its own data.
Example :
The worm displays the following message:
Other information
The worm may delete the following files:
- C:\BOOT.INI
- C:\NTDETECT.COM
- C:\NTLDR
- C:\HYBERFILE.SYS
- C:\BOOTMGR
- C:\BOOTMGR.BAK
- C:\BOOTSECT
- C:\BOOTSECT.BAK
- C:\System Volume Information\*.*
- D:\System Volume Information\*.*
- E:\System Volume Information\*.*
- F:\System Volume Information\*.*
- G:\System Volume Information\*.*
- H:\System Volume Information\*.*
- I:\System Volume Information\*.*
- J:\System Volume Information\*.*
- C:\Documents and Settings\Administrator\My Documents\*.*
- D:\Documents and Settings\Administrator\My Documents\*.*
- E:\Documents and Settings\Administrator\My Documents\*.*
- F:\Documents and Settings\Administrator\My Documents\*.*
- G:\Documents and Settings\Administrator\My Documents\*.*
- H:\Documents and Settings\Administrator\My Documents\*.*
- I:\Documents and Settings\Administrator\My Documents\*.*
- J:\Documents and Settings\Administrator\My Documents\*.*
- C:\Users\Administrator\*.*
- D:\Users\Administrator\*.*
- E:\Users\Administrator\*.*
- F:\Users\Administrator\*.*
- G:\Users\Administrator\*.*
- H:\Users\Administrator\*.*
- I:\Users\Administrator\*.*
- J:\Users\Administrator\*.*
- C:\Documents and Settings\*.*
- D:\Documents and Settings\*.*
- E:\Documents and Settings\*.*
- F:\Documents and Settings\*.*
- G:\Documents and Settings\*.*
- H:\Documents and Settings\*.*
- I:\Documents and Settings\*.*
- J:\Documents and Settings\*.*
- C:\Users\*.*
- D:\Users\*.*
- E:\Users\*.*
- F:\Users\*.*
- G:\Users\*.*
- H:\Users\*.*
- I:\Users\*.*
- J:\Users\*.*
- %systemroot%\system32\drivers\*.*
- %systemroot%\system32\CONFIG\*.*
- %systemroot%\system32\*.*