Vicious, Data Destroying Virus Discovered

Written by Sue Walsh on February 2, 2010

Security researchers have discovered a vicious new virus. Dubbed hacker-virus-hand-1196269-lWin32.Worm.Zimuse.A, it appears to have originated in Slovakia but has been quickly making its way around the world with the highest rate of infection now in the United States, followed by Slovakia, Thailand, and Italy.  The virus and its variant, Win32.Worm.Zimuse.B, both work in the same destructive way. Once the system is infected, Zimuse creates between 7-11 copies of itself, installs a rootkit, alters system registry entries, and creates several driver files.  After a pre-determined number of days (40 for A, 20 for B) it springs to life with a poorly written fake Windows Defender warning:

          “System Defender – Kernel Error 0xC00000005

This problem is unambigously cause by malicious contents in IP packers in transport layer from website: www.offroad-lm.szm.sk. To bee patient, Windows Defender scan your hard drive(s) for bugs caused by system incompatible code. To recovery of system press OK button. Wait to successfull end of scanning. Inform about this administrator on www.szm.sk and incriminated web site.”

Once that appears, the system is doomed. The next time the user restarts the computer they will be greeted with the heart stopping error “FATAL: No bootable medium found.” This is because the virus overwrites the Master Boot Record, which permanently damages the drive. What makes this virus even more dangerous is that until the message pops up it’s nearly impossible to know the system is infected.

Win32.Worm.Zimuse A and B distribute themselves in very different ways. The first variant embeds itself on legit sites, possibly by poisoning an ad network, and pretends to be an IQ test. The second spreads via exchangeable media like USB flash drives. Experts think it was a malicious prank intended only for fans of a Slovakian motorcycle gang but it has gone far beyond that, destroying data wherever it lands. This could be especially devastating if it hit a critical government or business network.

It is extremely important to make sure your data is backed up safely and to be more cautious than ever about sharing storage media and clicking on links. All IQ tests should be avoided, and web surfing should be confined to familiar sites. If you aren’t sure if your system’s anti-virus programs are up to date, contact your IT department.

Comments

Pingback: Public Service Announcement – Zimuse virus: Today would be an excellent day to back up your data, and to avoid all IQ tests – The Blogs at HowStuffWorks

MS February 3, 2010

Screwing the MBR doesn’t permanently damage any drive. A broken MBR can be fixed with a single one line command from a Windows install disk. I highly doubt that this virus is capable of permanently damaging any computer. If it is, it is certainty not the erasing of the MBR that would cause permanent damage.

A simple format and Windows reinstall will have you right back up and running virus free assuming you have a recent backup of updated hardware drivers and your data files. You all did backup your drivers and files right?

Kelly Wright August 8, 2010

MS, while this is not a big issue for experienced users, users with less knowledge about infections will face a non-bootable computer. That alone looks scary! They will not be able to post a ‘ask or help’ message on forums or download any software.

  • (required)
  • (required)