Some pranks just aren’t funny. Today, we find our case in point in a new Windows worm that has spread from Slovakia to computers around the world. According to ESET, it is widely believed Win32/Zimuse A and Win32 Zimuse B started as a prank to infect the fans of a motorcycle club in the central Slovakian Liptov region. From there, however, the worm has begun targeting corporate networks. As of late last week, the majority of the infected users were in the United States, followed by Slovakia, Thailand and Spain.
The worm spreads via removable media and compromised or malicious Websites. Once on a victim’s computer, the worm overwrites the master boot record (MBR) of all available drives with its own data, blocking users from accessing data on their machines.
“To date, the worm’s two variants–Win32/Zimuse.A and Win32/Zimuse.B–differ in the method of spread and the timing of activation,” according to ESET. “While the A-variant needs 10 days to start spreading via USB devices, its B-variant needs only 7 days since infiltration. Moreover, the time needed for the execution of the destructive routine is shortened in the B-variant from the original 40 days to 20.
“The infiltration does not possess a degree of sophistication that would encrypt the data on the disk; instead it was designed to corrupt the MBR (Master Boot Record) of physical disk drives,” the security vendor stated. “It emulates the old-time threats in that it is timed to go off–in this case in 40 days since the infiltration.”
ESET has developed a tool to clean infected systems, and other vendors such as Sophos and Symantec detect it as well.