I was doing some research on authentication the internet the other day. I don’t remember which website I clicked, but all of sudden, Windows Picture and Fax Viewer opened up and then followed by a command prompt window. I knew something bad had happened. I quickly closed up all the programs (I wish I remembered which site I clicked…). I was surprised that my antivirus program (Trend Micro) did not react though, and my virus definition was only two days old. So what did I just experience?
I did not want to reboot my computer at that moment, fearing something bad will happen if I did (well, I have a backup of the whole system from a couple of days ago, so in theory, I could always restore my whole system without losing much). So I decided to find out what had happened.
The first thing I noticed is that in the root directory (C:\) there were maybe fiver or six new exe files, time stamped a couple minutes ago… at that time I knew that my computer must have been affected with a virus or a worm…
Well I was trying to figure out more… all of a sudden I saw the blue screen of death, so I had no choice but to reboot. After my computer was rebooted, every thing seemed normal, except that when I logged in it told me that one or more services had failed to start. And it also seemed that a command line executable had been executed because I could see a quick flash of the command window.
So, what is this virus or worm? Since I have backups I decided to investigate a little further. I launched the msconfig utility and in the startup tab I saw the references to an exe installed in my application folder: _mzu_stonedrv2.exe and I couldn’t uncheck it. Every time I tried to disable it, it became enabled again. A few tries later, I got the blue screen of death again. So I had to reboot once again.
After the two mysterious blue screen of death, I realized that the virus must have installed some sort of low level service which was not perfectly written. So when the computer started up again, I searched the registry and found the following related items:
I quickly removed all the registry entries and all the files the virus pointed to. It was apparent that the virus tried to do something on a fixed interval because a couple of minutes later my computer died again and I had to reboot. But this time, since I removed all the virus related files, the computer booted normally but still shows me one or more services had failed to start error message.
After some digging, I realized that the virus had disabled Widows Firewall configuration (it couldn’t be launched any longer and would give an unknown error) and the warning message at the boot time was because the virus had turned off the Computer Browser service and I couldn’t start it. It seems that the virus was rather sophisticated, it first disables the firewall and the related service so that it could use a random port to communicate back with its host. And it had installed a low level driver (mzu_drv.sys) so that the virus would be loaded before the user was even logged in. Well, because I have a hardware firewall so I am pretty sure that the virus did not do much real damage.
Later I decided to re-image my hard drive from my backup just to be sure. This experience tells me just how easy it is to get a virus even with the most up-to-date Windows patch and anti-virus software…