January 22, 2010 | Bratislava

Computers Worldwide Targetted by a MBR Worm

Initially perhaps conceived as a prank targeting a small community of bikers in central Slovakian region, the worm <a target="_blank" href=27028</buxus-link>>Win32/Zimuse.A and <a target="_blank" href=27052,""</buxus-link>>Win32/Zimuse.B has achieved worldwide notoriety.  It is a type of threat that overwrites MBR (Master Boot Record) of all available drives with its own data, making the data stored on the user’s computer inaccessible. Moreover, the restoration of the corrupted data is complicated, requiring specialized software or a provider.

Since the worm’s inception, ESET has detected it on hundreds of computers of its users. Initially after the outbreak, only users in Slovakia were affected – accounting for over 90% of all infections. Presently, the greatest number of infected computers is in the United States, followed by Slovakia, Thailand and Spain, followed with Italy, Czech Republic and other European countries.


<a href=viruses/win32-zimuse04.jpg</buxus-image>><img border="0" src=viruses/win32-zimuse01.jpg</buxus-image> />

The worm uses two ways to spread – either via embedding in legitimate websites, in the form of a self-unpacking ZIP file or as an IQ test program, or via Exchangeable media, such as USB devices. The fact that it relies on USB devices to propagate is responsible for its rapid dissemination, which is likely to increase even further.

<a href=viruses/win32-zimuse02.jpg</buxus-image>><img border="0" src=viruses/win32-zimuse05.jpg</buxus-image> />

To date, the worm’s two variants - Win32/Zimuse.A and Win32/Zimuse.B differ in the method of spread and the timing of activation. While the A-variant needs 10 days to start spreading via USB devices, its B-variant needs only 7 days since infiltration. Moreover, the time needed for the execution of the destructive routine is shortened in the B-variant from the original 40 days to 20.

Moreover, if the right removal method is not used, the worm shifts to its destructive mode. This is similar to making the right choice on which wire to cut, and in what sequence in a bomb-defusing operation.

<img border="0" src=viruses/win32-zimuse03.jpg</buxus-image> />

There is a widely held suspicion that the worm was intended to infect the computers of fans of a motorcycle club in the central Slovakian Liptov region, however, it has  spread beyond this target group once it started attacking  company networks. What’s more, the infiltration was reminiscent of the well-known OneHalf threat in the worm’s behavior, the country of origin (both originating in Slovakia), and the inflicted damage – causing the total paralysis of the system it attacks.

The infiltration does not posses a degree of sophistication that would encrypt the data on the disk, instead it was designed to corrupt the MBR (Master Boot Record) of physical disk drives. It emulates the old-time threats in that it is timed to go off – in this case in 40 days since the infiltration. 

Users of ESET products – namely ESET NOD32 Antivirus and ESET Smart Security are protected against this threat. However, in order eliminate the potential of data loss as a result of its corruption by the worm, ESET recommends to its users to back up their important data.  

ESET has also recently published <a target="_blank" href=27089,""</buxus-link>>Zimuse Removal Tool.

About ESET

Founded in 1992, ESET is a global provider of security solutions for enterprises and consumers. Thanks to its ThreatSense.Net® technology, ESET is able to collect data on a volunteer basis from users all around the world, which helps us react quickly to emerging threats. ESET has offices in Bratislava, SK; Buenos Aires, AR; San Diego, USA and has an extensive partner network in 160 countries. In 2008, ESET has opened a new research center in Krakow, Poland. ESET was named by Deloitte’s Technology Fast 500 one of the fastest-growing technology companies in the region of Europe, Middle East and Africa.