Hi all,

Has anyone encountered this problem?

Yesterday I noticed a folder on the root of my usb drive named “Cold”
in it there is another folder called “hott”, it contains two files:

Directory of H:\cold\hott

11/23/2009 12:09 AM 63 Desktop.ini
11/15/2009 11:54 AM 102,441 ñ§ýÿ,¬—ý_ý
2 File(s) 102,504 bytes

This is the contents of auTORUN.inf

autorun]
[autorun[
[autorun]
open=cold\hott\▒Ñ╢║▓á╕Ñ╝∙▓»▓
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Openáfolderátoáview files
UseAuTOPLAY=1
shell\open\command=cold\hott\▒Ñ╢║▓á╕Ñ╝∙▓»▓
shell\Explore\Command=cold\hott\▒Ñ╢║▓á╕Ñ╝∙▓»▓

If i delete the folder or the autorun file they are immediately
written back to the drive, Avast could not detect anything wrong
even with updated files, anyone knows what is going on?

By the way, is it possible to submit the worm to Avast for examination?

Hi Iksiks,

Please zip your infected file, and then give it password then sent it to : virus@avast.com

Try a boot time scan with avast! Right click the scanner screen, select ‘schedule a boot time scan’ and reboot when requested. (Or open the tab at the top left of the scanner screen and select the boot time option from there.)

Try a scan with DrWeb CureIT!

Try the usual free adware/spyware scanners.

Spybot Search & Destroy
SUPERAntiSpyware Free
a-Squared Free
Malwarebytes’ Anti-Malware

Thanks people, i have submitted the worm to Avast and used a-Squared to identify it, it turns out to be Virus.Win32.VB!IK ;D

Regards

Try:
Start/Run/Regedit
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Delete the Raidhost.exe

Browse to C:\Windows\Raidhost.exe - Rename this to Raidhost.old (may be necessary to do this from safe mode. Reboot the computer and you should be done. I would recommend formatting the infected thumb drive before you do the above steps and pull it out before it has time to recreate the cold/Hott folder.

I have developed an antivirus tool to remove this idiot virus program at my lab. Please remove it as soon as possiblel because it steals and send your details to a server located in US and it downloads another trojans from above server. use following link to see more details on that virus and download free removal tool for it
Link : http://it.web44.net/VirusDetails/raidhost.exe_Recover_Report.html

more details from our labs.
raidhost.exe (CRC32 : D8AB4DA6) is a backdoor virus. It supports to create a bot net. raidhost.exe is the parent virus. when it is executed it downloads other viruses from its master servers. In Imago labs we detected the servers are 64.131.83.170 on port 80 and 216.17.104.155 on port 51987. It downloads a malcious file dl.exe from above servers and executes it. Then dl.exe download another malcious file update.exe .

“Raidhost” use autorun.inf to propagate himself. It creates a system folder called cold. Inside cold directory it creates a system folder hott which appears as a recycle bin.then it copies its clone (¥¶¾³¿¸¤£ù²¯².exe and ¥¶¾³¿¸¤£ù²¯² ) into hott directory.

raidhost.exe resides in %system drive% \ Windows. dl.exe and update.exe resides on the root of the system drive.

Thank you,
Imago Labs(Sri Lanka)

Forgot to mention that the C:\windows\Raidhost.exe is a system file. To see it you will have to Dbl click My Computer/tools/Folder Options/View/Uncheck Hide Protected operating system files.

Good Luck