WORM_ZIMUS.A

Trend Micro has flagged this {malware/spyware type} as noteworthy due to the increased potential for damage, propagation, or both, that it possesses. Specifically,it deletes important files that are needed during in system bootup.

To get a one-glance comprehensive view of the behavior of this Worm, refer to the Threat Diagram shown below.

This worm arrives via removable drives. It may be unknowingly downloaded by a user while visiting malicious websites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

Arrival Details

This worm arrives via removable drives.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This worm drops the following copies of itself into the affected system:

• %System%\tokset.dll

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following files:

• %Program Files%\Dump\dump.exe - non-malicious
• %User Temp%\instdrv.exe - non-malicious
• %System%\drivers\mseu.sys - used by this malware to delete files
• %System%\drivers\mstart.sys - used by this malware to delete files
• %System%\mseus.exe - contains the main worm routine and MBR infection routine
• %System%\ainf.inf - copy of autorun.inf
• %User Temp%\Regini.exe - non-malicious file
• %System%\ainf.inf - copy of autorun.inf
• %System%\drivers\mseu.sys - used by this malware to delete files also detected as WORM_ZIMUS.A
• %System%\drivers\mstart.sys - used by this malware to delete files also detected as WORM_ZIMUS.A
• %System%\mseus.exe - contains the main worm routine and MBR infection routine also detected as WORM_ZIMUS.A

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It creates the following folders:

• %Program Files%\Dump

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)

Autostart Technique

This worm registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Eventlog\System\
MSTART
(Default) =  

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Mseu
(Default) =  

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MSTART
(Default) =  

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UnzipService
(Default) =  

It adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Dump = %Program Files%\Dump\Dump.exe

Other System Modifications

This worm deletes the following files:

• %User Temp%\Dump.ini
• %User Temp%\mseu.ini
• %User Temp%\mseus.ini
• %User Temp%\Regini.exe
• %User Temp%\instdrv.exe
• C:\BOOT.INI
• C:\BOOTMGR
• C:\BOOTMGR.BAK
• C:\BOOTSECT
• C:\BOOTSECT.BAK
• C:\Documents and Settings\*.*
• C:\Documents and Settings\Administrator\My Documents\*.*
• C:\HYBERFILE.SYS
• C:\NTDETECT.COM
• C:\NTLDR
• C:\System Volume Information\*.*
• C:\Users\*.*
• C:\Users\Administrator\*.*
• D:\Documents and Settings\*.*
• D:\Documents and Settings\Administrator\My Documents\*.*
• D:\System Volume Information\*.*
• D:\Users\*.*
• D:\Users\Administrator\*.*
• E:\Documents and Settings\*.*
• E:\Documents and Settings\Administrator\My Documents\*.*
• E:\System Volume Information\*.*
• E:\Users\*.*
• E:\Users\Administrator\*.*
• F:\Documents and Settings\*.*
• F:\Documents and Settings\Administrator\My Documents\*.*
• F:\System Volume Information\*.*
• F:\Users\*.*
• F:\Users\Administrator\*.*
• G:\Documents and Settings\*.*
• G:\Documents and Settings\Administrator\My Documents\*.*
• G:\System Volume Information\*.*
• G:\Users\*.*
• G:\Users\Administrator\*.*
• H:\Documents and Settings\*.*
• H:\Documents and Settings\Administrator\My Documents\*.*
• H:\System Volume Information\*.*
• H:\Users\*.*
• H:\Users\Administrator\*.*
• I:\Documents and Settings\*.*
• I:\Documents and Settings\Administrator\My Documents\*.*
• I:\System Volume Information\*.*
• I:\Users\*.*
• I:\Users\Administrator\*.*
• J:\Documents and Settings\*.*
• J:\Documents and Settings\Administrator\My Documents\*.*
• J:\System Volume Information\*.*
• J:\Users\*.*
• J:\Users\Administrator\*.*

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

• zipsetup.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
shellexecute=zipsetup.exe /H