Zimuse leverages an IQ test to infect its victims.

An oddball hybrid malware program grabbed some electronic headlines this week. The bad app combines the activity of a worm with the infectious  properties of a virus. There appears to be two variants of it: Win32.Worm.Zimuse.A and Win32.Worm.Zimuse.B.

What makes the pernicious program queer is its destructive properties. These days, Black Hats tend to concentrate their efforts on programming schemes that have a cash payoff. When that’s your line of business, stealth, not havoc, is your modus operandi. Zimuse’s creators, through, don’t seem to care about monetary gain. Proliferation and mayhem appear to be their game.

Given the putative origin of the malware, it’s easy to understand why it departs from the malware mainstream. According to security experts, the black app was originally written to infect fans of a motorcycle club in the Liptov region of Slovakia. As can be the case with computer pranks, however, the malware started spreading wildly and soon began infecting corporate networks. Now badware watchers say the majority of the machines infected by the Zimuse variants are in the United States, followed by Slovakia, Thailand and Spain.

The malware is a two trick pony. First, it infects a machine and looks for ways to propagate itself. Then, after a defined number of days, it trashes its host’s Windows operating system and cripples it.

One way Zimuse distributes itself is by compromising legitimate Web sites. It’s planted as a self-unpacking zip file that contains an IQ test. When the IQ test installs itself on a machine, it also installs the malware. The IQ test is a legitimate application and serves to obfuscate what Zimuse is doing under the compromised computer’s hood.

After the sinister software insinuates itself on a computer, it begins to multiply. Depending on the varient, it copies itself in anywhere from seven to 11 areas critical to the device’s operating system. In addition, it modifies the Windows Registry to guarantee that its components will be launched as services each time a computer is started. Here are the keys altered by Zimuse.

HKLM\System\CurrentControlSet\Services\EventLog\System\MSTART

HKLM\System\CurrentControlSet\Services\MSTART

HKLM\System\CurrentControlSet\Services\MSTART\Security

HKLM\System\CurrentControlSet\Services\Mseu

HKLM\system\currentcontrolset\services\UnzipService

In addition to working mischief with the Registry, the malware also adds two drivers. They look like this.

%system%\drivers\Mstart.sys

%system%\drivers\Mseu.sys

Users of the 64-bit versions of Windows 7 and Vista can breathe a little easier than XP coves because those versions of Microsoft’s operating system require that drivers be signed before they’re installed and Zimuse’s drivers won’t cut the mustard in that department.

After Zimuse finds a home on a computer, it waits for USB storage devices to be attached to the machine so it can infect them too. When such a device mates with a computer, Zimuse copies itself to the hardware as a file named zipsetup.exe, as well as an auto run file. The contents of that file, autorun.inf, looks like this.

[autorun]
shellexecute=zipsetup.exe /H

According to White Hats, the USB vector has been a rewarding one for spreading the nasty code.

In moving from the A variant to the B version of the program, its creators have tightened up the timeframe of its actions. The 10 days it took for the A variant to begin infecting USB plug-ins has been reduced to seven days in the B version. The B variant also trashes its host sooner–20 days compared to 40 days for the A version.

When running on a computer, the malware is invisible to a user. That’s typical for outlaw programs these days. Zimuse, though, isn’t content with propagating itself in the background. After the aforementioned fixed period of time–40 days for variant A, 20 days for B–the spiteful software displays an error message claiming a problem has occurred due to IP packets  from a rummy URL. The problem can be solved, the message tells the user, with a system recovery, which can be accomplished by clicking OK in the error message’s window.

The so-called system recovery is actually system chicanery. When the infected computer reboots, Zimuse overwrites the first 50 megabytes of the Master Boot Record for Windows. That essentially cripples the file system and makes all data on the disk inaccessible without the use of special tools.

As malware goes, Zimuse is particularly malevolent, but as some commentators have observed on the Web, having a Master Boot Sector zapped in far less injurious than having passwords to bank accounts or social security numbers stolen.

Hybrid malware spreading via USB devices

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

USB devices can be a convenience and a curse.

Devices that plug into the USB ports on a computer are convenient to use, but they can be a security headache, too. What security-conscious system administrator hasn’t contemplated the grim consequences of gigabytes of sensitive data inappropriately stored on a thumb drive walking out the front door of his or her company in the shirt pocket or purse of an employee? What security specialist hasn’t cringed at the thought of a compromised USB device being plugged into his or her network where it can infect the system with a virus, Trojan or worm?

One way to identify problems associated with USB devices is to follow their leavings. Among the leavings left behind by USB devices when they’re attached to a computer running Windows are their serial numbers. Although not all USB devices have serial numbers, most do, and they can be used to perform some basic computer forensics, as Adrian Crenshaw pointed out in a recent posting in his Irongeek.com blog.

For example, if the ownership of a USB drive linked to malicious activity is in a dispute, a scan of the suspects’ computers would reveal which one the device had been connected to. Chances are the operator of the computer containing the serial number of the device in its Windows registry will be the culprit in the case.

If the source of a virus is linked to a USB device, comparing the serial numbers of the devices connected to the system at the time the infection began to spread could help identify the compromised hardware and even identify the point of initial infection.

In another scenario, a serial number belonging to a suspicious device–a digital media player, for instance–might show up in the registry for a Windows server. By scrutinizing the registries of the PCs on the system for the serial number of the device, its owner can be identified and appropriate action taken.

Crenshaw identifies two registry keys where USB information is stored.

1. The key storing information on USB devices that are connected to a system or have been connected to a system is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB.
2. Another key–HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR–stores information strictly on USB storage devices. While the \USB key may be scrubbed by programs like CleanAfterMe, the \USBSTOR key may survive such purges.

As anyone who’s opened up a Windows registry knows, finding what’s wanted can be challenging. When it comes to the serial numbers of USB devices, the task can be less challenging with a free tool recommended by Crenshaw called USBDeview by NirSoft. The application displays information from the USB registry keys in an easy to peruse table format that can sorted by column. Columns contain information such as Device name/description, device type, serial number, date/time that device was added, VendorID, ProductID and such.

What’s nice about USBDeview is that it allows you to  grab USB information from any machine on your network. Of course, administrator privileges are needed to tap into that data. “Even if you have the admin user name and password of the remote machine that you wish to connect to, you still have to configure it properly in order to get full  administrator access,” NirSoft explains at its Web site. “If you have a network with a domain controller, and you are the administrator of this domain, your life is a little easier, because some configuration changes required to get admin access remotely are made by Windows automatically when the computer joins the domain.”

The program will also trawl multiple computers on a network for USB information. You can do that by setting up a text file with the computers you want scanned listed by name or IP address in UNC format. When the information is returned and displayed in USBDeview’s familiar table format, you can use the column feature to analyze it. Need to identify the PCs on the system that are using or have used a particular device? Click on the serial number column and check out the rows with the hardware’s serial number in them.

If you have many computers on your network, the amount of information gathered by the program can overwhelm the table format. NirSoft addresses that prospect by allowing information from the table to be exported in a number of file formats, including CSV. A CSV file can easily be imported into a database program where more precise analysis of the table’s data can be performed.

While this kind of analysis may not appeal to all administrators, those with an interest in forensic computing may find the process worth experimenting with.

Follow the serial numbers

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators