A 'prank' worm that started as an attack targeted at an off-road Slovakian motorcycle club has escaped beyond its intended victims and started wrecking hard disks as far away as the US.
Security company ESET reports the Windows-borne 'Zimuse' as a retro oddity because it attacks a hard disk master boot record (MBR) of any attached drive its finds, a technique common in viruses from nearly 20 years ago. As with viruses of old, its spread is aided by its ability to infect the modern equivalent of floppy disks, USB sticks.
Delivering itself as a bogus IQ test program or through an infected website, Zimuse fills the first 50Kb MBR of each disk with zeroes, rendering data inaccessible. Getting this data back can be difficult and require specialised software, the company says.
There are now believed to be two versions - Zimuse.A and Zimuse.B - spreading at low levels in countries far from Slovakia, including the US, Thailand, Spain, and Italy. The difference between the two variants has to do with the time period before each starts spreading via USB and the point at which the destructive routine is activated.
The B variant is the worse of the two because it stars spreading earlier to USB drives - only seven days after infection - but waits 40 days before attacking disk boot sectors. This maximises the period of infectivity, thereby increasing its destructiveness on unprotected systems.
"Hopefully this won't spread too much further. But it's a useful reminder that while most current threats are more interested in stealing your data than trashing it, it's never a bad time to make sure your backup mechanisms are working properly," says ESET's David Harley in his blog alert.
Today, the hard disk boot sector is a rare place to encounter malware, the notable exception in recent times being the nasty Mebroot rootkit of 2008. From time to time, older malware does pop back into existence when experts least expect it, the infamous example being the 'Stoned.Angelina' MBR virus that reportedly sneaked on to 100,000 Medion laptops in 2007.
Stoned.Angelina originally dated from January 1994, a time period that might also explain Zimuse, which ESET believes bears a striking resemblance to the 'One-half' virus that came out of Slovakia in 1995.
ESET has posted a Zimuse removal tool and more detailed analysis on its website.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.