U.Z.A. O/S Eliminator Worm

You are here : Home→Topics→Latest Threats→U.Z.A. O/S Eliminator Worm

Antivirus Software Essentials
Free Virus Removal Tools Top Windows Antivirus Top Spyware Scanners Top Internet Scams Email Hoaxes and Myths

Antivirus Offers
AntiVirus Coupon AntiVirus Gold Hardware AntiVirus Windows 95 AntiVirus AntiVirus McFee

Topics
Antivirus Reviews Free Antivirus Software Spyware / Adware Latest Threats Internet Scams Security Tips Viruses Explained Types of Viruses

Buyer's Guide
Gifts for Geeks and Gamers Antivirus Software for Windows Security Books for Home Users Antivirus Software Review

links
Related Links Helpful Links

Visitor Focus
Software Free Download Freeware Download Global Info System Matrix Directory Free Antivirus Software

Latest Threats

U.Z.A. O/S Eliminator Worm

Written by lifang

February 20, 2008 13:38

The so-called "U.Z.A. O/S Eliminator" worm appears to have originated in Maldives sometime in late July or early August 2007. The worm exploits the autorun feature, enabling it to spread from removable USB/thumb drives to other computers.

Signs and symptoms
If you've been impacted by the UZA O/S worm, the desktop wallpaper has been changed to a black graphic with white lettering that reads 'U.Z.A. Operating System'. In addition, the clock in the system tray will display 'UZA O/S' to the left of the time. Task Manager will be inaccessible (a common symptom of much of today's malware) and you will be unable to use the shift override feature to bypass programs at Windows startup. In addition, all removable usb/thumb drives will have what appears to be a folder labeled My_Personal_Data on the root of the drive.

Coinciding with the first reports of the worm, a removal tool was released by one of the alleged victims.

Unfortunately, several other victims have reported that the tool worked initially but days after their system became inoperable. Fortunately, the UZA O/S worm can be manually removed rather easily, without running the risk of running an untrusted or untested executable.

To remove the UZA O/S worm, follow the steps below. Note: These steps require editing the System Registry (REGEDIT). Editing the Registry should only be attempted by experienced users. For tips on using REGEDIT.

My_Personal_Data folder
While My_Personal_Data may appear to be a folder, it's really an executable file that is simply using the folder icon to disguise itself. This ruse is made possible because Windows disables file extension viewing by default.

Also by default, removable devices such as usb and thumb drives will 'autorun' certain files when the device is plugged in. This is what allows USB worms to spread rapidly from one person's computer to another, very reminiscent of the 'sneakernet' viruses of the early 90s, which spread via infected floppy disks. It's a good idea to change this Windows default and disable the promiscuous autorun feature.

Once file extension viewing has been enabled and Autorun has been disabled, delete the My_Personal_Data file from any usb/thumb drives you use. Also delete the autorun.inf file placed there by the UZA O/S worm.

Regain access to Task Manager
Blocking access to the Task Manager is a common attack method of much of today's malware, and certainly not a symptom unique to the UZA O/S Eliminator malware. The method used by the UZA worm is rather simplistic and easy to fix. To regain access, open Regedit and browse to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

Pay close attention to the key path - it should match the above exactly. Highlight "Policies" in the left pane and delete any values except default from the right right pane.

Kill the UOS.exe process
Now that you've regained access to Task Manager, press CTRL+ALT+DEL to open Task Manager and select the Process Tab. Click "Image Name" to sort the list alphabetically. Locate uos.exe and click on it once to highlight it. Click the End Process button, click Yes, and then close Task Manager

UZA wallpaper on desktop
The UZA O/Z Eliminator wallpaper replaces your deskptop wallpaper with its own. The UZA wallpaper is black with white letters that read "U.Z.A. Operating System".