Must Have - Zimuse Removal Tool

After a day identified and studying the behavior of Zimuse worm, BitDefender has wrap a conclusion and released Zimuse Removal Tool for users to clean thoroughly all Zimuse traces from their infected computers.

As stated by BitDefender, Zimuse runs stealthy inside the infected computer, until the countdown ends where it began to attack and then everything is too late. So, users can use this tool to check whether their computers are already infected by Zimuse or not and of course the sooner you know is better than later.

Here is the official documentation on Zimuse worm released by BitDefender:

What are the other names for Worm.Zimuse.A?

Trojan.Startpage.G, Win32/Zimuse.A or Worm:Win32/Zumes.A!sys

What are the symptoms? How do I find out if I have Worm.Zimuse.A on my PC?

Presence of the following files
* %system32%\drivers\mstart.sys
* %system32%\drivers\mseu.sys

A technical description of Worm.Zimuse.A:

The malware comes as an application with a WinZip icon in order to trick the user into running it. To look even more as a a self-extracting archive it displays a dialog box asking for a password in order to successfully unzip the package contents.
Once executed the application checks the command line parameters and if there is a switch '/Z' then it proceeds to delete all the files , all the registry keys it and all the services it has created during a previous infection.

If no disinfection switch is given then it takes the following actions:
* it checks if it's set to run at startup up, by checking the presence of a key named 'Dump' in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
* if no previous infection is found then it infects the computer.

Infection of the computer consists in:
* dropping the files
- %system32%\drivers\mstart.sys and creates and runs a service named 'mstart' from this file;
- %program-files%\Dump\dump.exe"
- %Temp%\Dump.ini
- %Temp%\Regini.exe
- %system32%\drivers\mstart.sys
- %system32%\drivers\mseu.sys
- %Temp%\mseu.ini (used for installation of mseu.sys service)
- %system32%\mseus.exe
- %Temp%\mseus.ini (used for installation of mseus.exe service)
- %system32%\tokset.dll
- %system32%\ainf.inf
- %Temp%\instdrv.exe (which is a clean file used to install services)
- %system_drive%\IQTest\iqtest.exe (in some versions)
- %system_drive%\IQTest\readme.txt (in some versions)

* sets dump.exe file dropped earlier to run at startup (this is the flag of infection)
* deletes the following files (which were used for services instalation)
- %Temp%\Regini.exe
- %Temp%\Dump.ini
- %Temp%\mseu.ini
- %Temp%\mseus.ini
- %Temp%\instdrv.exe

Worm.Zimuse.A Removal Instructions:

1. Download the removal tool (.exe file - 201 KB).

2. Users running as a restricted user in Windows XP, right click the "zimuse-removal-tool.exe" program and choose "Run as Administrator" to be prompted to enter credentials for an admin account.

3. Click on "Start" to begin the system scan.



4. If your computer is clean from Zimuse, just click on "Close" to end the task.



5. Otherwise, if your computer are infected by Zimuse, follow the further instructions given by the tool to clean the infections.

6. BitDefender recommends a system reboot after the disinfection is complete.

Zimuse is a very destructive e-threat, so guys, don't wait any longer, download this tool and start scan your computer.