Aliases: Net-Worm.Win32.Zusha.h, W32.Aizu.G, W32/Zusha.B, W32/Zusha.E.worm, Win32/Zusha.H
Variants: WORM_ZUSHA.D, Trojan-Downloader.Win32.Small.aizu, Generic.dx!ffd

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Europe, Asia
Removal: Easy
Platform: W32
Discovered: 09 Dec 2005
Damage: Medium

Characteristics: Targeting the TCP port 445, the W32.Aizu.G malware will attempt to cause a remote buffer overflow. This error state will be used by the Worm to bring down the Windows Firewall protection. Once the firewall has been disabled, it proceeds by attempting to download a file from a predetermined location.

More details about W32.Aizu.G

The W32.Aizu.G program initially places the file aux32.exe in the System folder of the Windows directory and creates a corresponding Windows Registry key for it under a certain registry key folder. The key auxAudioDevice is identified in the Windows Registry as a service associated with an audio device and points to the location of the aux32.exe file. This is done to give the W32.Aizu.G program an air of legitimacy. The Windows Registry is further modified to reconfigure the settings for the Windows Firewall service as well as to enable its executable file access through the firewall. The W32.Aizu.G program may also take advantage of unprotected network shares to deliver its payload across the network environment. It has been established that the Microsoft Windows Local Security Authority Service and the Microsoft RPCSS DCERPC DCOM Object Activation Packet are exploited by the W32.Aizu.G program.

The malware allegedly causes buffer overflow and heap corruption vulnerability respectively on the mentioned Windows services. The W32.Aizu.G application then continues by downloading and executing files from remote locations using its own FTP service. A file named zu.exe is saved on the root directory of the main hard drive of the infected machine by the malware. Due to the complex actions of this malware, its removal can be done by using a reliable antivirus application with an updated virus database and detection engine. It should also be able to undo the Windows Registry modifications initiated by the Worm.