WORM_ZIMUS.A
Windows 98, ME, NT, 2000, XP, Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
Trend Micro has flagged this {malware/spyware type} as noteworthy due to the increased potential for damage, propagation, or both, that it possesses. Specifically,it deletes important files that are needed during in system bootup.
To get a one-glance comprehensive view of the behavior of this Worm, refer to the Threat Diagram shown below.
This worm arrives via removable drives. It may be unknowingly downloaded by a user while visiting malicious websites.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
TECHNICAL DETAILS
Arrival Details
This worm arrives via removable drives.
It may be unknowingly downloaded by a user while visiting malicious websites.
Installation
This worm drops the following copies of itself into the affected system:
- %System%\tokset.dll
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It drops the following files:
- %Program Files%\Dump\dump.exe - non-malicious
- %User Temp%\instdrv.exe - non-malicious
- %System%\drivers\mseu.sys - used by this malware to delete files
- %System%\drivers\mstart.sys - used by this malware to delete files
- %System%\mseus.exe - contains the main worm routine and MBR infection routine
- %System%\ainf.inf - copy of autorun.inf
- %User Temp%\Regini.exe - non-malicious file
- %System%\ainf.inf - copy of autorun.inf
- %System%\drivers\mseu.sys - used by this malware to delete files also detected as WORM_ZIMUS.A
- %System%\drivers\mstart.sys - used by this malware to delete files also detected as WORM_ZIMUS.A
- %System%\mseus.exe - contains the main worm routine and MBR infection routine also detected as WORM_ZIMUS.A
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It creates the following folders:
- %Program Files%\Dump
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)
Autostart Technique
This worm registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Eventlog\System\
MSTART
(Default) =
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Mseu
(Default) =
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MSTART
(Default) =
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UnzipService
(Default) =
It adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Dump = %Program Files%\Dump\Dump.exe
Other System Modifications
This worm deletes the following files:
- %User Temp%\Dump.ini
- %User Temp%\mseu.ini
- %User Temp%\mseus.ini
- %User Temp%\Regini.exe
- %User Temp%\instdrv.exe
- C:\BOOT.INI
- C:\BOOTMGR
- C:\BOOTMGR.BAK
- C:\BOOTSECT
- C:\BOOTSECT.BAK
- C:\Documents and Settings\*.*
- C:\Documents and Settings\Administrator\My Documents\*.*
- C:\HYBERFILE.SYS
- C:\NTDETECT.COM
- C:\NTLDR
- C:\System Volume Information\*.*
- C:\Users\*.*
- C:\Users\Administrator\*.*
- D:\Documents and Settings\*.*
- D:\Documents and Settings\Administrator\My Documents\*.*
- D:\System Volume Information\*.*
- D:\Users\*.*
- D:\Users\Administrator\*.*
- E:\Documents and Settings\*.*
- E:\Documents and Settings\Administrator\My Documents\*.*
- E:\System Volume Information\*.*
- E:\Users\*.*
- E:\Users\Administrator\*.*
- F:\Documents and Settings\*.*
- F:\Documents and Settings\Administrator\My Documents\*.*
- F:\System Volume Information\*.*
- F:\Users\*.*
- F:\Users\Administrator\*.*
- G:\Documents and Settings\*.*
- G:\Documents and Settings\Administrator\My Documents\*.*
- G:\System Volume Information\*.*
- G:\Users\*.*
- G:\Users\Administrator\*.*
- H:\Documents and Settings\*.*
- H:\Documents and Settings\Administrator\My Documents\*.*
- H:\System Volume Information\*.*
- H:\Users\*.*
- H:\Users\Administrator\*.*
- I:\Documents and Settings\*.*
- I:\Documents and Settings\Administrator\My Documents\*.*
- I:\System Volume Information\*.*
- I:\Users\*.*
- I:\Users\Administrator\*.*
- J:\Documents and Settings\*.*
- J:\Documents and Settings\Administrator\My Documents\*.*
- J:\System Volume Information\*.*
- J:\Users\*.*
- J:\Users\Administrator\*.*
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)
Propagation
This worm drops the following copy(ies) of itself in all removable drives:
- zipsetup.exe
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
[autorun]
shellexecute=zipsetup.exe /H
SOLUTION
Step 1
For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.
Step 2
Scan your computer with your Trend Micro product and note files detected as WORM_ZIMUS.A
Did this description help? Tell us how we did.