While analyzing W32.Zimuse recently I was surprised to find two different passwords used within the threat: one of these decrypts a Word document that contains information about some members of a Slovakian motorbike forum.
In order to spread via USB drives, W32.Zimuse copies the file zipsetup.exe to removable drives. If zipsetup.exe is run with no parameters it shows the following message box:
The zipsetup.exe dialog box
This is not a real WinZip dialog box, just a password box made to look like the WinZip message box. The user has 10 chances to enter the correct password, after which the application will close. Entering "2008_15_12" (without quotes) decrypts a Word document named zoznam.doc:
Decrypted Word document
The document is written in Slovakian. Using an online translator, the first two lines translated to:
We found on the internet:
(for the purpose of investigation and monitoring provide administrators these urls : [URL REMOVED] and [URL REMOVED], these addresses were given to law enforcement authorities)
The document then lists pictures, nicknames and, in some cases, real names and addresses of several motorbike enthusiasts along with the URL of a motorbike forum in which they participate. It is not clear why these pictures are included with the worm. At the time of this writing, the forum mentioned in the Word document already had some postings from people who have been affected by the worm and other posts from people trying to discover the true identity of the worm’s author. Unfortunately there doesn’t seem to be a definite answer yet, but we will keep you posted when more information comes to light.
Btw the second password, kukurukuR11, can be used to completely uninstall the threat: