win32/zimuse info and how to remove

[idaho]

This is from ESET.com:


Bemused by Zimuse?
January 22nd, 2010

Win32/Zimuse is a worm that exists in two variants, innovatively entitled Win32/Zimuse.A and Win32/Zimuse.B. In some ways it's a throwback to an earlier age, since it overwrites the Master Boot Record on drives attached to an infected system with its own data, so that data on the system becomes inaccessible without the use of specialized software. Our colleagues in Bratislava have pointed to a certain similarity with an old multipartite file and boot infector called One Half (hence the sly reference in the title of this blog). However, it doesn't work like a traditional boot sector infector, using code in the MBR to infect floppy disks: it spreads either on exchangeable media such as USB devices, or is found embedded on legitimate web sites as a self-extracting .ZIP file or as an IQ test program.

We believe that it originated as a prank in central Slovakia, but it's spread from there has been slightly surprising, if not dramatic: right now, the greatest number of infected computers is in the US. Clearly, USB devices remain a significant vector for rapid malware dissemination.

Win32/Zimuse.A starts spreading by USB 10 days after infection, and the destructive routine is executed in 40 days. The .B variant raises the ante by reducing the time before spreading to seven days, and the time to execution of the destructive payload.

Current ESET products already detect these threats, and have published a removal tool at http://www.eset.eu/download/ezimuse-remover. There is more information on the threat itself at http://www.eset.eu/press-computer-worldwide-targetted-by-MBR-Worm.

Hopefully this won't spread too much further. But it's a useful reminder that while most current threats are more interested in stealing your data than trashing it, it's never a bad time to make sure your backup mechanisms are working properly. You do back up your data, don't you?

[leofelix]

Thank you,
I've downloaded that free removal tool.
Those Master Boot Record infectors are quickly spreading

http://www.sophos.com/blogs/sophoslabs/?p=8315

[Amature Programmer]

Kool thanks for the info about this.

[Ceyfer √]

The worm uses two ways to spread:

• either via embedding in legitimate websites, in the form of a self-unpacking ZIP file or as an IQ test program, or

• via Exchangeable media, such as USB devices. The fact that it relies on USB devices to propagate is responsible for its rapid dissemination, which is likely to increase even further.

Then block it.

[ghanoom]

Yes Retro Virus comes back to hit hard disk MBR