Worm:W32/Zimuse

http://www.cert-in.org.in/virus/W32_Zimuse.htm
Original issue date: January 27, 2010

It has been reported that variants of worm Zimuse is pervasive which performs destructive overwrite of the Master Boot record(MBR) of the disk drives on the infected system.

The worm spreads by embedding in legitimate websites in the form of self-unpacking ZIp file or as an IQ test program, or via Exchangeable media such as USB devices.

Aliases:
Worm:Win32/Zumes.A (Microsoft), W32/Zimuse(McAfee,
Symantec),Trojan.Generic.1729691 (BitDefender),
W32/Threat-SysVenFakP-based!Maximus (F-Prot)

Up on execution the worm:
Displays a fake WINZIP dialogue box:
Please visit the following URL ::
http://www.cert-in.org.in/virus/W32_Zimuse.htm

Crates the following directories
C:\IQTEST %ProgramFiles%\Dump

drops the following files
%windir%\system32\drivers\Mstart.sys
%ProgramFiles%\Dump\Dump.exe
%windir%\system32\drivers\Mseu.sys
%windir%\system32\tokset.dll
%windir%\system32\ainf.inf
%SystemDrive%\IQTEST\Iqtest.exe
%windir%\system32\Mseus.exe

Drops the following non-malicious file and opens the explorer window to show the contents:
C:\IQTEST\Iqtest.exe
C:\IQTEST\Readme

Install the following system drivers
%system%\drivers\Mstart.sys, MSTART
%system%\drivers\Mseu.sys, MSEU

Create the registry values
HKLM\System\CurrentControlSet\Services\EventLog\System\MSTART
HKLM\System\CurrentControlSet\Services\MSTART
HKLM\System\CurrentControlSet\Services\MSTART\Security
HKLM\System\CurrentControlSet\Services\Mseu
HKLM\system\currentcontrolset\services\UnzipService
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ “Dump” = “%ProgramFiles%\Dump\Dump.exe”

Drops a copy of the worm(zipsetup.exe ,197052 B) and an autorun.inf file in to the root directory of all drives if the system time and date meets a certain condition
Please visit the following URL ::
http://www.cert-in.org.in/virus/W32_Zimuse.htm
If the current system date and time matches with a particular condition it overwrites the MBR and displays the following message and make the system unbootable on the next boot

Please visit the following URL ::
http://www.cert-in.org.in/virus/W32_Zimuse.htm
In view of rapid propagation of the Zimuse worm , users are advised to
implement the following countermeasures:
Use task manager or process explorer to kill the “MSEUS.EXE” process.
Search for the malicious files ,registry entries created worm and delete
the same
Delete all instances of zipsetup.exe on root folders as well as the
autorun.inf
Install and maintain an updated anti-virus software at gateway and desktop
level
Use caution when opening attachments and accepting file transfers
Disable autorun.
Keep up-to-date on patches and fixes on the operating system and above
mentioned vulnerabilities
Install and maintain Firewall at Desktop level
Use caution when clicking on links to Web pages
References
http://vil.nai.com/vil/content/v_254683.htm
http://www.symantec.com/security_response/writeup.jsp?
docid=2010-012301-1138-99&tabid=2
http://www.threatexpert.com/report.aspx?md5=63a6a43f94c
06334e3b9249d374b8114
http://www.f-secure.com/v-descs/worm_w32_zimuse_a.shtml
Disclaimer
The information provided herein is on “as is” basis, without warranty of
any kind.

Advertisements