The Zimuse Worm ~ A Hard Drive Killer

This one has been big in the news as of late and I received a few samples to play with. I have not seen any cases in the forums yet but I’m wondering if it’s because of the fact there are almost no indications of it running. This could be unfortunate because if it goes undetected for either 20 or 40 days, depending on the variant, it will overwrite the Master Boot Record on the system and render it un-bootable.

The sample tested here is masked as an IQ Test. Since it is a worm it will spread via the usual ways such as removable drives and has also been reported embedded in legitimate websites as a self extracting download. Originally it has been reported that the Malware was developed as a prank against a small community of bikers in Slovakia, but this Malware has spread into the wild and the US has reported the highest incident rate.

The sample tested here has a pretty solid detection rate.

Virus Total IQTest.exe sample results

Analysis

As stated earlier the Malware pretends to be an IQ Test. Upon execution of the sample the entire monitor screen will go black with what I assume is an Slovakian IQ Test?

A full reboot is necessary to fully launch the Malware.

System Analysis

The following files and folders are created:

C:\Program Files\Dump                          
C:\Program Files\Dump\Dump.exe
C:\WINDOWS\system32\ainf.inf                 
C:\WINDOWS\system32\mseus.exe                
C:\WINDOWS\system32\tokset.dll         
C:\WINDOWS\system32\drivers\Mseu.sys                
C:\WINDOWS\system32\drivers\Mstart.sys

The following registry modifications are made:

Registry Keys created:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSTART
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSTART\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSTART\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mseu
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSTART
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSTART\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSTART\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UnzipService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSTART
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSTART\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSTART\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mseu
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTART
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTART\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTART\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UnzipService

Registry Values created:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Dump = "%ProgramFiles%\Dump\Dump.exe

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSTART\0000\Control]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSTART\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSTART]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mseu]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSTART\Enum]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSTART\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSTART]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UnzipService]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSTART\0000\Control]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSTART\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSTART]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mseu]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTART\Enum]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTART\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTART]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UnzipService]

Symptoms of infection are essentially non-existent. No system slow down, re-directs, pop-ups, or any of the other usual indicators. The only indication is you will see the Mseus.exe process running in Windows Task Manager. So you say, what’s the problem? Well, the payload will hit in a matter of days (or weeks). Depending on the variant you will get a system message either after 20 or 40 days.

I was able to trigger this message by setting the clock ahead by 21 days. Clicking OK restarts the computer and on the next boot…

Ouch!!! Master Boot Record written over will cause this message, and an unbootable PC.

Removal

I tried 2 tools that are “advertised” to remove this infection.

Bitdefender removal tool

Eset Zimuse remover

Neither tool was successful. The Bitdefender tool simply stalled the system and did nothing after several hours of running. The Eset tool ran but did not remove the infection.

I was able to remove it “manually” using specialized tools, but MalwareBytes Anti-Malware was able to remove most of it and disabled the active part of the infection, allowing the Bitdefender tool to run and finish the cleanup (which could also have been done manually). Like I usually advise, you should visit one of the free forums and get expert help to make sure you’re all clean.

As opposed to the early days of script kiddies writing prank viruses, most infections these days have some motive for their operation, usually profit. This one brings us back to those days in some ways as I see no motive (other than a “prank”) for its’ existence.