Raygen's Basement - Internet Stuff

WARNING! Win32.Worm.Zimuse.A – The Hard-Disk Wrecker

According to BitDefender’s blog at Malwarecity.com they have discovered a new worm circulating on the interwebs they have dubbed Win32.Worm.Zimuse.A.  This worm is very unique because it enters users computers disguised as a harmless IQ test, however, its intentions are quite sinister. As of right now, many antivirus and security programs are not picking it up. It resides on the users system virtually undetected for a defined period of time before it executes its ridiclious payload.

This unique piece of malware when executed on a users system over-writes the first 50 kb of the MBR(Master BootRecord) which is a key area of the hard drive. It adds itself to the following registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run , and adds the file dump.exe to the program files directory, and creates two driver files mstart.sys and mseu.sys. These files are then loaded into the kernel at the next reboot. These two files have rootkit type fuctionality to hide the presense of this malware..

please note: These files won’t install on Windows Vista x64 or Windows 7 x64 due to Patchguard not allowing Unsigned drivers to load on Windows 64-bit Operating Systems.

The unique aspect of this malware is its the first one in a longtime that seems to want to cause massive data loss of a grand scale. In fact, the last malware I can remember that did something like this on a grand scale was the windows CIH virus which affected the windows 9x platform.

Once this worm gets installed and the user reboots his/her system it sets itself up silently. According to BitDefender, after a predefined number of days which is 40 days for varient A and 20 days for varient B, it then displays a message to the user indicating a problem with the users computer.  This is where the nasty part begins.

After this message appears, upon the next reboot of the system the computer is rendered unbootable due to damage to the boot sector of the hard drive. I think this really sucks, and it is the reason why I am spreading the word to people so they can protect themselves.

The Video above shows this nasty worm in action.

BitDefender has provided a free removal tool from there web site here:  Win32.Worm.Zimuse removal tool can be downloaded from BitDefender which can remove this worm before it causes any damage to your system.

As always keep your Anti-Virus and Anti-Malware software up to date, use a firewall, and keep your Windows Updates patched from Microsoft as well as all your applications like Flash, Java, etc updated.

Be careful of this nasty worm. Practice Safe Hex!

Bookmark and Share
January 28th, 2010 in Computers, Current Events, Microsoft, Security, internet | tags: , , ,

Comments (1)

Cata@Firewall softJanuary 30th, 2010 at 6:31 pm

Very nice video. I’ve just eliminate this stupid Win32.Worm.Zimuse.A and i used BitDefender to realize this thing. It was one of the most dangerous infections on my computer in 7-8 years.

Leave a comment

Your comment


You can add a link to follow you on twitter if you put your username in this box.
Only needs to be added once (unless you change your username). No http or @
 Twitter

Raygen's Basement - is powered by WordPress | Entries (RSS) and Comments (RSS)