Worm:Win32/Zumes.A!sys is a detection of a device driver component of the worm Win32/Zumes. This worm uses the component to communicate with other components of the worm and deletes the folder named "\System Volume Information".
Win32/Zumes.A is a worm that spreads to removable drives and also uses the timer to perform a destructive payload by overwriting the master boot record (MBR) of attached and removable drives.
Installation
Worm:Win32/Zumes.A!sys is installed by a worm dropper, detected as Worm:Win32/Zumes.B, that infects the local computer when a user visits an infected removable drive and has autoplay enabled. This worm component may be present as the following:
%SystemRoot%>\system32\drivers\mseu.sys
%SystemRoot%>\system32\drivers\mstart.sys
Other components may be present as the following:
%SystemRoot%>\system32\ainf.inf - Worm:WIn32/Zumes.A!inf
The registry is modified to execute Worm:Win32/Zumes.A!sys.
Adds value: "EventMessageFile"
With data: "%systemroot%\system32\drivers\mstart.sys;<current folder>\mstart.sys"
To subkey: HKLM\System\CurrentControlSet\Services\EventLog\System\MSTART
Worm:Win32/Zumes.B creates system services for the following dropped files:
%SystemRoot%\system32\drivers\mstart.sys - service name "MSTART"
%SystemRoot%\system32\mseus.exe - service name "UnzipService"
The device driver creates shared memory in the Windows kernel and is used by user mode components of Worm:Win32/Zumes to communicate with each other.
Payload
Deletes critical folder
Worm:Win32/Zumes.A!sys deletes the folder named "\System Volume Information" in the root of first 8 partitions (C-J). This folder may contain System Restore points data, indexing data and etcetera. Deletion of the folder could result in a failure to restore the computer to any previous state prior to becoming infected by the worm.
Additional Information
Worm:Win32/Zumes is a worm that attempts to spread to other drives and overwrite the master boot record region of drives. For more information about
Worm:Win32/Zumes.A, see the description elsewhere in the encyclopedia.
Analysis by Shawn Wang
