Home / malware Worm:Win32/Zumes.A
First posted on 29 March 2010.
Source: SecurityHomeAliases :
Worm:Win32/Zumes.A is also known as Win-Trojan/Zimuse.69632 (AhnLab), W32/Zimuse.C (Authentium (Command)), Worm/Zimuse.A.2 (Avira), Worm.Zimuse.A (BitDefender), Win32.HLLW.Mseus.1 (Dr.Web), Virus.Win32.Mseus.a (Kaspersky), W32/Zimuse (McAfee), W32/Zimuse.E (Norman), W32/Mseus.A (Panda), W32/Mseus-D (Sophos), W32.Zimuse.B (Symantec).
Explanation :
Worm:Win32/Zumes.A is a detection for a component of Win32/Zumes, a worm that uses a timer to spread to removable drives. This worm also uses the timer to perform a destructive payload by overwriting the master boot record (MBR) of attached and removable drives.
Top
Worm:Win32/Zumes.A is a detection for a component of Win32/Zumes, a worm that uses a timer to spread to removable drives. This worm also uses the timer to perform a destructive payload by overwriting the master boot record (MBR) of attached and removable drives. InstallationWorm:Win32/Zumes.A is installed by a worm dropper, detected as Worm:Win32/Zumes.A!sys. It infects the local computer when a user visits an infected removable drive and has autoplay enabled. This worm component may be present as the following: %systemroot%\system32\mseus.exe Other components may be present as the following: %systemroot%>\system32\drivers\mseu.sys - Worm:Win32/Zumes.A!sys %systemroot%>\system32\drivers\mstart.sys - Worm:Win32/Zumes.A!sys %systemroot%>\system32\tokset.dll - Worm:Win32/Zumes.A!sys, copy of the worm installer %systemroot%>\system32\ainf.inf - Worm:WIn32/Zumes.A!inf Worm:Win32/Zumes.A may be installed as system service named "UnzipService". Spreads Via€¦ Removable drivesWorm:Win32/Zumes.A attempts to spread to removable drives. The worm checks for removable drives in the first nine drive letter assignments (C - K). The worm copies its installer to the drive as "zipsetup.exe". Next, the worm writes an autorun configuration file named "autorun.inf" pointing to "zipsetup.exe". When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically. Payload Erases MBRAfter 40 days since the initial infection by the worm, it attempts overwrite sectors containing the master boot record of drives. Worm:Win32/Zumes.A overwrites first 50 Kb of data of the first 9 logical drives (C - K) with zero data (null bytes) and overwrites first 100 Kb data of the first 9 physical drives with zero data resulting in destroying the MBR of each drive. Displays alert
Worm:Win32/Zumes.A displays following message to encourage user to visit an external link:
Analysis by Shawn WangLast update 29 March 2010
