New Malware

Comments

  • It's a VB worm. Signed it; thanks for the sample.


    To remove it:


    - from task manager (or better yet, Process Explorer) kill the process System.exe. ATTN: do NOT kill the System process, but System.exe;


    - delete (or scan with BD after an update and instruct it to delete detected files):


    c:\windows\config\system.exe


    c:\windows\config\svchost.exe (NOT the one in system32!)


    c:\config\system.exe


    - on ALL drives (ie. C:, D:, etc.):


    [drive]:\recycled\info.exe


    - if the file autorun.inf in the root of the drives contains the string info.exe, also delete it.


    - note that the files may be hidden; the best option would probably to update your BD and allow it to delete all infected files detected as Win32.Worm.VB.NPM.