McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W95.ZMist (NAV)

• Win32.ZMist (KAV/AVP)

• Win32.Zombie.Mistfall (DrWeb)

Characteristics

-- Update May 23, 2002 --

Because of some reports of files that take a long time to scan, AVERT has changed the Zmist detection in the 4204 DATs so that the more time consuming detection routines require that program heuristics are turned on. If a computer was infected with Zmist, most of the infected files would be detected in default mode, but some files might require that heuristics be turned on in order to detect them. AVERT is still interested in receiving samples of any files which take an unusually long time to scan. Send them to virus_research@nai.com and mention in your message that you are sending them because of the slow scanning speed.

This virus is a direct-action infector. It is highly polymorphic and uses unique infection method - it disassembles the host file and embeds itself in many places in the file. The virus consists of a polymorphic decryptor and encrypted body. What is suprizing is that for the virus of this level of complexity it is rather stable and does not crash or misinfect files. W32/Zmist is using a special polymorphic engine ("Mistfall") writen specifically for this family of viruses by Russian virus writer who calls himself "Zombie".

As a payload the virus modifies Win32 files without infecting them. Such modified files are not infectable and are still fully functional but they carry a lot of rude strings in Russian. Such files are detected as W32/Zmist.xyz. Payload triggers very frequently and is not date-dependent. Although modified files run normally they better be replaced with clean copies.

At the time of writing this description there are four known variants in Zmist family. None of them was ever reported to AVERT from the field. The detection of variants .a, .c and .d is relatively simple. However detection of .b variant is less trivial.

Although detection of .b variant is difficult, AVERT has long ago (in August 2001) included algorithmic detection using the ActiveDAT technology. As of DAT 4192, we now detect all replicants of all 4 variants in default mode.

Symptoms

Infected files grow in size by approximately 35,000 bytes.

Method of Infection

Removal

All Users:
Use current engine and DAT files for detection. Replace files not cleaned with backup copies.

Additional Windows ME/XP removal considerations

Variants

Variants

• W32/Zmist.a
• W32/Zmist.b
• W32/Zmist.c
• W32/Zmist.d

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W95.ZMist (NAV)

• Win32.ZMist (KAV/AVP)

• Win32.Zombie.Mistfall (DrWeb)

Characteristics

Characteristics -

-- Update May 23, 2002 --

Because of some reports of files that take a long time to scan, AVERT has changed the Zmist detection in the 4204 DATs so that the more time consuming detection routines require that program heuristics are turned on. If a computer was infected with Zmist, most of the infected files would be detected in default mode, but some files might require that heuristics be turned on in order to detect them. AVERT is still interested in receiving samples of any files which take an unusually long time to scan. Send them to virus_research@nai.com and mention in your message that you are sending them because of the slow scanning speed.

This virus is a direct-action infector. It is highly polymorphic and uses unique infection method - it disassembles the host file and embeds itself in many places in the file. The virus consists of a polymorphic decryptor and encrypted body. What is suprizing is that for the virus of this level of complexity it is rather stable and does not crash or misinfect files. W32/Zmist is using a special polymorphic engine ("Mistfall") writen specifically for this family of viruses by Russian virus writer who calls himself "Zombie".

As a payload the virus modifies Win32 files without infecting them. Such modified files are not infectable and are still fully functional but they carry a lot of rude strings in Russian. Such files are detected as W32/Zmist.xyz. Payload triggers very frequently and is not date-dependent. Although modified files run normally they better be replaced with clean copies.

At the time of writing this description there are four known variants in Zmist family. None of them was ever reported to AVERT from the field. The detection of variants .a, .c and .d is relatively simple. However detection of .b variant is less trivial.

Although detection of .b variant is difficult, AVERT has long ago (in August 2001) included algorithmic detection using the ActiveDAT technology. As of DAT 4192, we now detect all replicants of all 4 variants in default mode.

Symptoms

Symptoms -

Infected files grow in size by approximately 35,000 bytes.

Method of Infection

Method of Infection -

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Replace files not cleaned with backup copies.

Additional Windows ME/XP removal considerations

Variants

Variants -

• W32/Zmist.a
• W32/Zmist.b
• W32/Zmist.c
• W32/Zmist.d