How to Remove WIN32:Zmist

Status
Not open for further replies.

deanyoung78

Posts: 13   +0
I've got a nasty virus in my computer and it refuses to leave.

I've tried several antivirus programs and spyware removers, but it's still there. I've tried disabling system restore and deleting it... it just won't go.

Any ideas?
 
McAfee claims to be able to remove this virus and all variants.










Gorillas in the Mist
During VB 2000 Dave Chess and Steve White demonstrated their research result on Undetectable Viruses. Early this year the Russian virus writer Zombie released his "Total Zombification" magazine with a set of articles and viruses of his own. One of the articles in the magazine was titled "Undetectable Virus Technology".

Zombie has demonstrated already his set of polymorphic and metamorphic virus writing skills. His viruses have been distributed for years in source format and other virus writers have modified them to create new variants. Certainly this will be the case with Zombie's latest creation W95.Zmist.

Many of us have not seen for a few years a virus approaching this complexity. We could easily call Zmist one of the most complex binary viruses ever written. W95.SK, One_Half, ACG, and a few other virus names popped to our mind for comparison. Zmist is a little bit of everything: it is an entry point obscuring virus that is metamorphic. Moreover the virus randomly uses an additional polymorphic decryptor.

The virus supports a unique new technique: code integration. The Mistfall engine contained in the virus is capable of decompiling Portable Executable files to its smallest elements, requiring 32MB! of memory. Zmist will insert itself into the code: it moves code blocks out of the way, inserts itself, regenerates code and data references, including relocation information, and rebuilds the executable. This is something which was never seen in any previous viruses.

Zmist occasionally inserts jump instructions after every single instruction of the code section, each of which will point to the next instruction. Amazingly these horribly modified applications will still run as before, just like the infected executables do, from generation to generation. In fact we have not seen a single crash during the test replications. Nobody expected this to work, not even its author Zombie. Although it is not foolproof it seems to be good enough for a virus. It takes some time for a human to find the virus in infected files. Because of this extreme camouflage Zmist is easily the perfect anti-heuristics virus.

A few years ago several anti virus researchers claimed that algorithmic detection has no future. We would like to turn that around, claiming that virus scanners will have no future if they do not support algorithmic detection at the database level. It is amazing to see how polymorphic viruses become more and more advanced over the years. Such metamorphic creations will come very close to the concept of an undetectable virus.

The computing environment did change. Modern viruses completely support this new environment. In the next couple of years we will see how complex DOS viruses would be today if the environment had not changed during the last few years.

[Editors Note:The complete article includes a detailed technical description of W95.Zmist and will be published in the March Edition of Virus Bulletin, and the SARC web site at http://www.sarc.com/].

By Peter Ferrie and Peter Szor
SARC, APAC & USA.
 
Very interresting, and a bit scary actually. I have a question and comment or two.

1) How do you know it is this virus? Did some program give you this name or where/how did you get the info from that this is your virus?

2) Based on the article posted, it would seem the only way to "clean" the virus is to delete the infected files, rather then be able to clean them. So if iexplore.exe was infected, you would have to delete it and copy the file again off the XP CD. And so on.

3) If any virus scanner can see the infected files, you'll have to just write them down, and then delete the files from safe mode or even recovery console. And then reinstall any affected programs.

Hope this gives you any ideas.
 
Got rid of it (the hard way)

Well, yes, how did I know I had the virus if it's undetectable? Actually my computer had been acting weird for a while, and both Norton and Avast said it was ok. However, when I ran spyware detectors like Ad-Aware, Avast would suddenly notify me of files with traces of Win32:Mist.

I tried deleting the infected files, but I could never seem to reach them. ie. the files listed in the scan report could not be found.

In the end I figured the easiest thing to do was to format the computer and reinstall windows, which worked a treat. I had been trying to get rid of the virus for ages, and this seemed like the best option.

Thanks anyway for your help.
 
Status
Not open for further replies.
Back