about the city contact us
search
 
 
 
 
 
 
Malware city / Blog / Zimuse Removal Tool
Print | Send on Yahoo! | PDF version | Feed RSS | Filed Under: ALERTS

Zimuse Removal Tool

Date: 01/26/2010
Author: MalwareCity

Removal tool provided by BitDefender detects and eliminates all traces of Zimuse Worm.

 BitDefender identified a new e-threat that combines the destructive behavior of a virus with the spreading mechanisms of a worm. Two variants are known to this day.

Worm.Zimuse.A enters the computer disguised as an apparently harmless IQ Test. Once executed, the worm creates between seven and eleven copies of itself (depending on the variant) in critical areas of the Windows system.

In order to stay safe, BitDefender recommends downloading, installing and updating a complete antimalware suite with antivirus, antispam, antiphishing and firewall protection. Users should also employ extra caution when prompted to open files from unfamiliar locations.

BitDefender created a free Zimuse disinfection tool, which is available for download at http://www.zimuse.com/

What are the other names for Worm.Zimuse.A ?

Trojan.Startpage.G, Win32/Zimuse.A or Worm:Win32/Zumes.A!sys .

What are the symptoms? How do I find out if I have Worm.Zimuse.A on my PC?

Presence of the following files
        * %system32%\drivers\mstart.sys
        * %system32%\drivers\mseu.sys

A technical description of Worm.Zimuse.A :

 The malware comes as an application with a WinZip icon in order to trick the user into running it. To look even more as a a self-extracting archive it displays a dialog box asking for a password in order to successfully unzip the package contents.

      Once executed the application checks the command line parameters and if there is a switch '/Z' then it proceeds to delete all the files , all the registry keys it and all the services it has created during a previous infection. 

      If no disinfection switch is given then it takes the following actions:
      * it checks if it's set to run at startup up, by checking the presence of a key named 'Dump' in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
      * if no previous infection is found then it infects the computer.

      Infection of the computer consists in:
         * dropping the  files
             - %system32%\drivers\mstart.sys and creates and runs a service named 'mstart' from this file;
             - %program-files%\Dump\dump.exe"
             - %Temp%\Dump.ini
             - %Temp%\Regini.exe
             - %system32%\drivers\mstart.sys
             - %system32%\drivers\mseu.sys
             - %Temp%\mseu.ini (used for installation of mseu.sys service)
             - %system32%\mseus.exe
             - %Temp%\mseus.ini (used for installation of mseus.exe service)
             - %system32%\tokset.dll
             - %system32%\ainf.inf
             - %Temp%\instdrv.exe (which is a clean file used to install services)
             - %system_drive%\IQTest\iqtest.exe (in some versions)
             - %system_drive%\IQTest\readme.txt (in some versions)

         * sets dump.exe file dropped earlier to run at startup (this is the flag of infection)
         * deletes the following files (which were used for services instalation)
             - %Temp%\Regini.exe
             - %Temp%\Dump.ini 
             - %Temp%\mseu.ini
             - %Temp%\mseus.ini
             - %Temp%\instdrv.exe

       The malware is inactive for the first 10 days (first variant) and 7 days (second variant). After this period of time, from the moment of infection,  it proceeds to infect all usb drives attached to the computer using the classical autorun.inf technique.

       After 40 days from the infection (first variant) and 20 days (second variant) the malware goes and overwrites the MBR (master boot record) with garbage rendering the computer un-bootable.
 

Worm.Zimuse.A Removal Instructions?

1. Download the removal tool (.exe file - 201 KB).

2. People running as a restricted user in Windows XP, right click the "zimuse-removal-tool.exe" program and choose "Run as Administrator" to be prompted to enter credentials for an admin account.

3. BitDefender recommends a system reboot after the disinfection is complete.

4. People without a permanent antivirus protection or if a current antivirus has failed, consider the advanced protection tool provided by BitDefender .

For more information please visit Zimuse website.

Share our story:
DiggStumbleUpondel.icio.usYahooMyWebFurlGoogle
RELATED:

Comment on this:
Name:
Email:
Your email address will not be published!

Please enter the code from the image below.
The code is not case sensitive
Verification Image
Reload image
 
 
Calendar
March 2010
MoTuWeThFrSaSu
1234567
891011121314
15161718192021
22232425262728
293031    
« Feb March Apr »
CategoriesMISCELLANEOUS
WEEKLY REVIEW
VIRUSES DESCRIPTIONS
CONTEST
MALWARE HISTORY
HOW TO....
BOTNETS
ALERTS
SPAM REVIEW
Tag Claud
software microsoft computer spam file downadup review infected trojan bitdefender windows exploit word pharmacy messages rogue virus system malware omelette conficker twitter antivirus phishing online worm files security message canadian
RSS Feeds
Blogs And Comments RSS News
Malware City Powered by BitDefender © 2010 |  privacy policy   |  city map