Content
W32/Zimuse
- Type
- Virus
- SubType
- Worm
- Discovery Date
- 01/25/2010
- Length
- Minimum DAT
- 5873 (01/26/2010)
- Updated DAT
- 5874 (01/27/2010)
- Minimum Engine
- 5.3.00
- Description Added
- 01/25/2010
- Description Modified
- 02/01/2010 7:23 AM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
-- Update January 26, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://www.theregister.co.uk/2010/01/25/slovak_biker_destructive_worm/
Upon execution, the malware drops the following files
- %windir%\system32\drivers\Mstart.sys
- %ProgramFiles%\Dump\Dump.exe
- %windir%\system32\drivers\Mseu.sys
- %windir%\system32\tokset.dll
- %windir%\system32\ainf.inf
- %SystemDrive%\IQTEST\Iqtest.exe
- %windir%\system32\Mseus.exe
It creates follwing registry entries:
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSTART
- "Type" = "0x1"
- "Start" = "0x3"
- "ImagePath" = "%windir%\system32\drivers\Mstart.sys"
- "ErrorControl" = "0x1"
- "DisplayName" = "MSTART"
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UnzipService
- "Type" = "0x110"
- "Start" = "0x2"
- "ImagePath" = "System32\Mseus.exe"
- "ErrorControl" = "0x0"
- "DisplayName" = "Self extract service"
- "ObjectName" = "LocalSystem"
- "Description" = "Self extract archive decrypt"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Dump" = "%ProgramFiles%\Dump\Dump.exe"
Symptoms
Presence of files and registry entries mentioned
Method of Infection
This worm may be spread by its intented method of infected removable drives.
Alternatively this may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the worm onto the user's system with no user interaction).
Removal
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Characteristics
Characteristics -
-- Update January 26, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://www.theregister.co.uk/2010/01/25/slovak_biker_destructive_worm/
Upon execution, the malware drops the following files
- %windir%\system32\drivers\Mstart.sys
- %ProgramFiles%\Dump\Dump.exe
- %windir%\system32\drivers\Mseu.sys
- %windir%\system32\tokset.dll
- %windir%\system32\ainf.inf
- %SystemDrive%\IQTEST\Iqtest.exe
- %windir%\system32\Mseus.exe
It creates follwing registry entries:
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSTART
- "Type" = "0x1"
- "Start" = "0x3"
- "ImagePath" = "%windir%\system32\drivers\Mstart.sys"
- "ErrorControl" = "0x1"
- "DisplayName" = "MSTART"
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UnzipService
- "Type" = "0x110"
- "Start" = "0x2"
- "ImagePath" = "System32\Mseus.exe"
- "ErrorControl" = "0x0"
- "DisplayName" = "Self extract service"
- "ObjectName" = "LocalSystem"
- "Description" = "Self extract archive decrypt"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Dump" = "%ProgramFiles%\Dump\Dump.exe"
Symptoms
Symptoms -
Presence of files and registry entries mentioned
Method of Infection
Method of Infection -
This worm may be spread by its intented method of infected removable drives.
Alternatively this may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the worm onto the user's system with no user interaction).
Removal -
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A