The so-called "U.Z.A. O/S Eliminator" worm appears to have originated in Maldives sometime in late July or early August 2007. The worm exploits the autorun feature, enabling it to spread from removable USB/thumb drives to other computers.
Signs and symptoms
If you've been impacted by the UZA O/S worm, the desktop wallpaper has been changed to a black graphic with white lettering that reads 'U.Z.A. Operating System'. In addition, the clock in the system tray will display 'UZA O/S' to the left of the time. Task Manager will be inaccessible (a common symptom of much of today's malware) and you will be unable to use the shift override feature to bypass programs at Windows startup. In addition, all removable usb/thumb drives will have what appears to be a folder labeled My_Personal_Data on the root of the drive.
Coinciding with the first reports of the worm, a removal tool was released by one of the alleged victims. Unfortunately, several other victims have reported that the tool worked initially but days after their system became inoperable. Fortunately, the UZA O/S worm can be manually removed rather easily, without running the risk of running an untrusted or untested executable.
To remove the UZA O/S worm, follow the steps below. Note: These steps require editing the System Registry (REGEDIT). Editing the Registry should only be attempted by experienced users. For tips on using REGEDIT, see the Windows System Registry Tutorial.
My_Personal_Data folder
While My_Personal_Data may appear to be a folder, it's really an executable file that is simply using the folder icon to disguise itself. This ruse is made possible because Windows disables file extension viewing by default. It's a bad practice, but fortunately one you can fix: See How to Enable File Extension Viewing.
Also by default, removable devices such as usb and thumb drives will 'autorun' certain files when the device is plugged in. This is what allows USB worms to spread rapidly from one person's computer to another, very reminiscent of the 'sneakernet' viruses of the early 90s, which spread via infected floppy disks. It's a good idea to change this Windows default and disable the promiscuous autorun feature. To do so, follow the tips outlined in How to Disable Windows Autorun.
Once file extension viewing has been enabled and Autorun has been disabled, delete the My_Personal_Data file from any usb/thumb drives you use. Also delete the autorun.inf file placed there by the UZA O/S worm.
Regain access to Task Manager
Blocking access to the Task Manager is a common attack method of much of today's malware, and certainly not a symptom unique to the UZA O/S Eliminator malware. The method used by the UZA worm is rather simplistic and easy to fix. To regain access, open Regedit and browse to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
Pay close attention to the key path - it should match the above exactly. Highlight "Policies" in the left pane and delete any values except default from the right right pane.
Kill the UOS.exe process
Now that you've regained access to Task Manager, press CTRL+ALT+DEL to open Task Manager and select the Process Tab. Click "Image Name" to sort the list alphabetically. Locate uos.exe and click on it once to highlight it. Click the End Process button, click Yes, and then close Task Manager
UZA wallpaper on desktop
The UZA O/Z Eliminator wallpaper replaces your deskptop wallpaper with its own. The UZA wallpaper is black with white letters that read "U.Z.A. Operating System". To remove the wallpaper, open C:\boot.ini with Notepad or other text editor and delete the line that reads:
/bootlogo /noguibootSave the boot.ini file and exit the text editor.
System clock displays UZA O/S
UZA adds its name to the system clock display that appears on the far right side of the Taskbar. To reset the display back to the default, open regedit and browse to:
HKEY_CURRENT_USER\Control Panel\International
In the right pane, locate the value 'sTimeFormat' and modify that value to read exactly as follows:
h:mm:ss ttDisable ShiftOveride
The UZA O/S malware also disables the ability to press the Shift key when Windows is starting, which ordinarily would allow you to bypass programs during startup. To re-enable the use of the Shift override feature, follow the steps outlined in How to Disable ShiftOveride
Delete the UZA O/S files
Locate and delete all the files associated with the UZA worm. The locations and filenames are as follows:
C:\Windows\boot.bmp
C:\Windows\System32\DPP(1).dll
C:\Windows\System32\DPP(2).dll
C:\Windows\System32\DPP(3).dll
C:\Windows\System32\DPP(4).dll
C:\Windows\System32\DPP(5).dll
C:\Windows\System32\DPP(6).dll
C:\Windows\System32\DPP(7).dll
C:\Windows\System32\DPP(8).dll
C:\Windows\System32\DPP(9).dll
C:\Windows\System32\DPP(10).dll
C:\Windows\System32\uos.exe
C:\Windows\System32\VisLoader.exe
C:\Windows\System32\PWallpaper.jpgWhen done cleaning the worm, reboot the system and double check all of the aforementioned changes to ensure the worm has been completely removed.