Virus alert : Worm:W32/Zimuse

Original issue date: January 27, 2010

It has been reported that variants of worm Zimuse is pervasive which performs destructive overwrite of the Master Boot record(MBR) of the disk drives on the infected system.

The worm spreads by embedding in legitimate websites in the form of self-unpacking ZIp file or as an IQ test program, or via Exchangeable media such as USB devices.

Worm:Win32/Zumes.A (Microsoft), W32/Zimuse(McAfee,
Symantec),Trojan.Generic.1729691 (BitDefender),
W32/Threat-SysVenFakP-based!Maximus (F-Prot)

Up on execution the worm:
Displays a fake WINZIP dialogue box:
Please visit the following URL ::

Crates the following directories
C:\IQTEST %ProgramFiles%\Dump

drops the following files

Drops the following non-malicious file and opens the explorer window to show the contents:

Install the following system drivers
%system%\drivers\Mstart.sys, MSTART
%system%\drivers\Mseu.sys, MSEU

Create the registry values
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ “Dump” = “%ProgramFiles%\Dump\Dump.exe”

Drops a copy of the worm(zipsetup.exe ,197052 B) and an autorun.inf file in to the root directory of all drives if the system time and date meets a certain condition
Please visit the following URL ::
If the current system date and time matches with a particular condition it overwrites the MBR and displays the following message and make the system unbootable on the next boot

Please visit the following URL ::
In view of rapid propagation of the Zimuse worm , users are advised to
implement the following countermeasures:
Use task manager or process explorer to kill the “MSEUS.EXE” process.
Search for the malicious files ,registry entries created worm and delete
the same
Delete all instances of zipsetup.exe on root folders as well as the
Install and maintain an updated anti-virus software at gateway and desktop
Use caution when opening attachments and accepting file transfers
Disable autorun.
Keep up-to-date on patches and fixes on the operating system and above
mentioned vulnerabilities
Install and maintain Firewall at Desktop level
Use caution when clicking on links to Web pages
The information provided herein is on “as is” basis, without warranty of
any kind.