My colleague Juraj Malcho, head of lab in Bratislava, has clarified a point: what Zimuse actually does is fill the first 50Kb of a targeted disk with zeroes (actually the 0x00 character): This does indeed overwrite the MBR, but also overwrites anything else that occupies that area of the disk. The malware came to ESET's attention because
My colleague Juraj Malcho, head of lab in Bratislava, has clarified a point: what Zimuse actually does is fill the first 50Kb of a targeted disk with zeroes (actually the 0x00 character): This does indeed overwrite the MBR, but also overwrites anything else that occupies that area of the disk.
The malware came to ESET's attention because we started receiving reports a few weeks ago from customers in Slovakia that their disks were dying. Analysis showed that it was this worm and apparently originally targeted an off-road biker club located in north/central Slovakia. Eventually, however, a broader range of people reported the same infection, and several businesses and schools also suffered damage.
In the last few days we've been noticing reports from users of our software in various other countries, so although we've already shared samples with other AV companies, we thought it was time to publicise the issue a little more widely in the hope of reducing the number of potential victims. If you use another product and are not sure whether they have protection for it yet, you might want to check with our free removal tool at http://www.eset.eu/download/ezimuse-remover.
Meanwhile, Kurt Wismer wins the pedant of the month award for pointing out that we don't usually classify worms by their payload, so the term "MBR worm" is a bit misleading.He's absolutely right (he generally is), but it was the press release that used the term, not me. :) Sorry, Kurt, that award doesn't carry… errr, an award.
Also, a tip of the hat to Sara Claridge: the awful pun in the title is hers, not mine. :) Not that my puns aren't at least as dreadful.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Also blogging at:
't actually include … errr, an award…