Back to Home

Attack of the MBR worm or everything new - well forgotten old / ESET NOD32 Blog

ESET · MBR-worm · Win32 · Zimuse

MBR worm attack or all new - well forgotten old

    Recently, a previously unknown worm, Win32 / Zimuse, aimed at damaging the master boot record MBR ( Master Boot Record ) on the hard disk, has become widespread on the Internet .
    It is noteworthy that this threat was originally created as a joke to infect one small community of Slovak bikers. Perhaps these were the machinations of a motoclub competing with them. However, today the worm has already gone out of control of its authors and is actively spreading around the world. At the same time, 90% of all infected users were initially located in Slovakia. But now the USA, Thailand and Spain are also leading in the number of infections, with Italy, the Czech Republic and other European countries with a slight lag.

    Win32 / Zimuse damages the master boot record MBR on all hard drives it finds. This makes all data on the hard drive inaccessible to the user.

    image

    image

    The worm spreads in two ways: in the form of an application on completely legal web resources that imitates the behavior of a self-extracting zip archive or in the form of an IQ test program, as well as on removable USB media. It was the second method that influenced the rapid growth of its distribution.

    image

    After starting the IQ test programs, users can observe a text message in Czech, which once again confirms the origin of this worm from Eastern Europe.

    image

    To date, the worm is known in two versions - Win32 / Zimuse.A and Win32 / Zimuse.B. They differ in the distribution method and activation time. Option “A” needs 10 days to start distribution via USB devices, the second only 7 days from the time of infection.
    A similar incident was previously known with the OneHalf virus , which made a lot of noise in the mid-nineties. At that time, many antivirus programs were powerless against this threat. OneHalf infected MBR and encrypted user data. Many treatment options for this virus have damaged the boot sector and lost data. During the investigation and search of OneHalf authors, most of the facts indicated that its distribution began in Slovakia and, most likely, the author was also from there.

    Users of ESET NOD32 Antivirus and ESET NOD32 Smart Security antivirus products are protected from the Win32 / Zimuse threat, and for everyone else, ESET has developed a special utility that allows you to get rid of the Zimuse Removal Tool worm .

    Read Next