W32/Zmist

Zmist or Z0mbie.Mistfall (for its author and code engine, respectively) is a virus that uses sophisticated means to infect unrelated files and guarantee a lack of visible symptoms of its presence. Zmist also may make additional modifications to other files that are distinct from its file-infection-based reproduction strategy. Even though Zmist's origin lies in 2002, new variants of Zmist viruses have appeared over time. As with other PC threats with limited symptoms, malware experts encourage relying on anti-malware software for detecting Zmist, isolating Zmist and, ultimately, deleting Zmist from all compromised files.

Seeing through the Obscuring Mist of a Virus

At the time of its 'birth,' some PC security professionals referred to Zmist as one of the most sophisticated viruses ever written. While threat coding techniques have grown in the past decade, new variants of Zmist continue to be seen. The free availability of its code means that third parties may take the template provided by its author, Zombie, and make changes of their own. As a result of this third-party use, malware experts can't fully predict all potential payloads from a Zmist virus.

Zmist is notable for using multiple methods to conceal itself from conventional anti-virus solutions. These methods may include metamorphic code and decrypting polymorphism, which cause individual bodies of Zmist to vary from each other with regard to form, but not functionality. Zmist infects files unrelated to Zmist by decompiling a file, injecting its code and then rebuilding the entire executable file, with the addition of all necessary relocation references. Zmist may insert itself into a single file multiple times, and takes care to avoid harming the underlying 'host' code of the program. Consequentially, any Zmist-infected software may continue to run with no detectable problems (besides the trivial increase in file size).

Zmist's default payload also may include functions for modifying other files in ways unrelated to its reproduction. Zmist may insert multiple 'junk' commands that tell the modified file to make unconditional jumps after every single instruction, along with various comment lines. Somewhat surprisingly, these changes don't modify the ultimate behavior of the affected file. Malware researchers find this attack comparable to programming 'graffiti;' an attack that changes the appearance of the target with unwanted aesthetics modifications, without any underlying changes to the object's functionality. Files modified in this fashion typically are not infected by Zmist, themselves.

Clearing up the Cloudy Weather Surrounding Your Files

Appropriate anti-virus tools should be able to delete Zmist from any infected files without damaging the files, themselves. Programs modified by Zmist to include jump instructions may not be threatening, but also should be cleaned during your system scans to prevent any unintended side effects when you're using them. Besides the minor file size increases and trivial increases in system resource expenditures, Zmist viruses may show limited symptoms. Because of its occasional development of variants and its well-known code-obscuring techniques, Zmist is best detected by trusted brands of security products that have had their threat databases fully updated.

Zmist is one of the most famous viruses to use code-concealing strategies, but is far from the only threat to do so. Other threats operating with similar defenses include threatening software as different as Trojan.Ferret, W32.Changeup!gen44, Worm.JS.AutoRun and Game Card Ransomware. The increasing use of sophisticated coding defenses by third parties may make no difference for the attacks most PC users suffer from threats. However, they do make it increasingly urgent that you keep all security solutions updated so that they can detect threats with ideal accuracy.