Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/Zimuse.B is a worm that overwrites MBR (Master Boot Record) of all available drives with its own data. The file is run-time compressed using PECompact .
Installation
When executed, the worm creates the following files:
  • %system%driversMstart.sys (13100 B)
  • %system%driversMseu.sys (18188 B)
  • %system%mseus.exe (69632 B)
  • %system%tokset.dll (228352 B)
  • %system%ainf.inf (41 B)
more...
Installs the following system drivers (path, name):
  • %system%driversMstart.sys, MSTART
  • %system%driversMseu.sys, MSEU
In order to be executed on every system start, the worm sets the following Registry entry:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
    CurrentVersionRun]
    "Dump" = "%programfiles%DumpDump.exe"
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
    LEGACY_MSTART000Control]
    "*NewlyCreated*" = 0
    "ActiveService" = "MSTART"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
    LEGACY_MSTART000]
more...
A string with variable content is used instead of %datetime1-2% .
Spreading
If the current system date and time matches certain conditions, the worm will copy itself into the root folders of the following drives A:, B:, C:, D:, E:, F:, G:, H:, I:, J:, K: using the following name:
  • zipsetup.exe (228352 B)
The following file is dropped in the same folder:
  • autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Payload information
If the current system date and time matches certain conditions, the worm overwrites the MBR (Master Boot Record) of available drives with its own data.

Example :
The worm displays the following message:
Other information
The worm may delete the following files:
  • C:BOOT.INI
  • C:NTDETECT.COM
  • C:NTLDR
  • C:HYBERFILE.SYS
  • C:BOOTMGR
more...