ESET has reason to believe that the the trojan was originally intended to infect the computers of fans of a motorcycle club in the central Slovakian Liptov region. But the joke got out of hand when the malware infiltrated company networks and moved beyond its original intended audience.
"At the beginning of the outbreak, only users in Slovakia were affected, accounting for over 90% of all infections," ESET said. "At present, the greatest number of infected computers are in the United States, followed by Slovakia, Thailand and Spain, followed with Italy, Czech Republic and other European countries."
The malware seems to be a prank because of its unusual payload. Most malware today focuses on stealthily stealing data. If it makes its presence known, then it is generally ransomware, encoding users' data on a machine and asking them for money before decrypting it for them. But this malware concentrates on trashing user data. It uses a technique common in the early days of viruses, overwriting the first 50Kb of data on the master boot record (MBR) of the target machine with its own data, which stops it from booting up.
Win32/Zimuse can be spread through a self-unpacking ZIP file delivered via a hacked website, or via USB drives. It has two variants: A and B. B waits for less time before spreading itself (seven days compared to ten), and also waits only 20 days before overwriting the data on the target machine's drive (half the time of the A variant). It will also automatically execute the destructive payload if it senses a removal attempt, making it a tricky target for anti-malware companies.