Bemused by Zimuse? (Dis is not one half)

Now here's a curiosity.

Win32/Zimuse is a worm that exists in two variants, innovatively entitled Win32/Zimuse.A and Win32/Zimuse.B. In some ways it's a throwback to an earlier age, since it overwrites the Master Boot Record on drives attached to an infected system with its own data, so that data on the system becomes inaccessible without the use of specialized software. Our colleagues in Bratislava have pointed to a certain similarity with an old multipartite file and boot infector called One Half (hence the sly reference in the title of this blog). However, it doesn't work like a traditional boot sector infector, using code in the MBR to infect floppy disks: it spreads either on exchangeable media such as USB devices, or is found embedded on legitimate web sites as a self-extracting .ZIP file or as an IQ test program.

We believe that it originated as a prank in central Slovakia (no, our lab guys didn't write it!) but it's spread from there has been slightly surprising, if not dramatic: right now, the greatest number of infected computers is in the US. Clearly, USB devices remain a significant vector for rapid malware dissemination.

Win32/Zimuse.A starts spreading by USB 10 days after infection, and the destructive routine is executed in 40 days. The .B variant raises the ante by reducing the time before spreading to seven days, and the time to execution of the destructive payload.

Current ESET products already detect these threats, and have published a removal tool at http://www.eset.eu/download/ezimuse-remover. There is more information on the threat itself at http://www.eset.eu/press-computer-worldwide-targetted-by-MBR-Worm.

Hopefully this won't spread too much further. But it's a useful reminder that while most current threats are more interested in stealing your data than trashing it, it's never a bad time to make sure your backup mechanisms are working properly. You do back up your data, don't you?

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macviruscom.wordpress.com/