Win32/Zimuse [Threat Name] go to Threat
Win32/Zimuse.C [Threat Variant Name]
| Category | worm |
| Size | 2674688 B |
Short description
Win32/Zimuse.C is a worm that spreads via shared folders and removable media.
Installation
When executed, the worm creates the following files:
- %windir%\System32\drivers\Repod.sys (7656 B)
- %windir%\System32\drivers\Fw.sys (11032 B)
- %windir%\System32\fws.exe (233529 B)
- %windir%\System32\ftp2.exe (1155072 B)
- %windir%\System32\zv.pdf (347049 B)
- %windir%\System32\vi.pdf (471770 B)
- %windir%\System32\vo.pdf (71021 B)
- %programfiles%\CAB\Cab.exe (28672 B)
- %programfiles%\CAB\pesc.exe (98304 B)
- %programfiles%\CAB\zv.pdf (347049 B)
- %programfiles%\CAB\vi.pdf (471770 B)
- %programfiles%\CAB\vo.pdf (71021 B)
- %temp%\Instdrv.exe (44552 B)
- %temp%\Regini.exe (68880 B)
- %temp%\fws.ini (290 B)
- %temp%\Fw.ini (223 B)
The worm copies itself to the following locations:
- %programfiles%\CAB\fwset.exe
The worm may create the following files:
- C:\User program Files\Cab\Cab.exe (28672 B)
- C:\User program Files\Cab\svchost.exe (1155072 B)
- C:\User program Files\Cab\zv.pdf (347049 B)
- C:\User program Files\Cab\vi.pdf (471770 B)
- C:\User program Files\Cab\vo.pdf (71021 B)
- %programfiles%\Cab\svchost.exe
- %programfiles%\Cab\kbdsl1.dll (6656 B)
- %programfiles%\Cab\kbdsl.dll (6656 B)
- %programfiles%\Cab\kbdus.dll (5632 B)
In order to be executed on every system start, the worm sets the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "Cab" = "%programfiles%\Cab\Cab.exe"
- "Cabi" = "%programfiles%\Cab\Svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "svchst" = "%programfiles%\Cab\svchost.exe"
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fwsrv]
- "Type" = 272
- "Start" = 2
- "ImagePath" = "System32\Fws.exe"
- "ErrorControl" = 0
- "DisplayName" = "Fw service"
- "ObjectName" = "LocalSystem"
- "Description" = "Fw system"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fw]
- "Type" = 1
- "Start" = 2
- "ErrorControl" = 1
- "Tag" = 1
- "Group" = "Extended base"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt]
- "CheckedValue" = 1
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
- "CheckedValue" = 0
Spreading
Win32/Zimuse.C is a worm that spreads via shared folders and removable media.
The following filename is used:
- %removabledrive%\What's new.exe
- %sharedfolder%\What's new.exe
The following file is dropped in the same folder:
- zv.pdf (347049 B)
Information stealing
The worm collects the following information:
- network adapter information
- environment variables
- computer name
- user name
- computer IP address
- information about the operating system and system settings
The worm attempts to send gathered information to a remote machine.
Other information
The worm acquires data and commands from a remote computer or the Internet.
The worm contains an URL address. The HTTP, FTP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- send the list of files on specific drive to a remote computer
- capture webcam video/voice
- log keystrokes
- send files to a remote computer
- update itself to a newer version
- show fake alerts
- shut down/restart the computer
The worm may delete files stored in the following folders:
- C:\System Volume Information\
- D:\System Volume Information\
- E:\System Volume Information\
- F:\System Volume Information\
- G:\System Volume Information\
- H:\System Volume Information\
- I:\System Volume Information\
- J:\System Volume Information\
The worm may cause the operating system to crash.
