http://www.virustotal.com/ru/analisis/6755cd31cde224d26c299b03eba27f28

Creates autorun.inf and ******.exe file on all avaliable disks, that run when you open it in explorer, so that is 100% virus.
Results in virustotal shows that Avast don’t see it.

I have already sent email to virus@avast.com, so will wait for updating virus database in avast.

Halio uniquename,

Thanks for the heads-up on this one, and sending it to avast, so they can update their signatures for it in a coming update.
I guess that Flash Disinfector will enable protection against this malware:

1. Flash Drive Disinfector
   Download Flash_Disinfector.exe by sUBs from >here< (http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe) and save it to your desktop.

   • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
   • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
   • Wait until it has finished scanning and then exit the program.
   • Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don’t delete this folder…it will help protect your drives from future infection(s),
Description of the worm at hand: http://www.symantec.com/security_response/writeup.jsp?docid=2008-102011-5014-99&tabid=2

pozdrawiam,

polonus

To clean usb drive I can use usual Far Manager and delete that files without running exe or autorun.inf.
I don’t like spare hidden autorun on USB, even if they are safe. it’s much safer to keep root folder of flash dives clean, cause they could be easily patched with new viruses and you won’t notice it cause will think that these autourun are trusted.

The infected computer with this virus is not mine ;D, I just brought it at home to test my Avast.
I found it on network containing more than 100 computers, protected with DrWeber, so admin will have some headache on Monday. Such viruses are very hard to treat.

Hi uniquename,

From your comment I expected that you very well know how to protect yourself, and are a user of safehex practices, but for all those that aren’t that “sprytni” it is important that normal av solution like avast alerts at finding it. Tell me how had it circumvented DrWeb (the update policy of this must have been “hopeless”, because the virus you report is flagged by the recent version of this St.Petersburg av-solution according to the virustotal finds).

polonus

Tell me how had it circumvented DrWeb (the update policy of this must have been "hopeless", because the virus you report is flagged by the recent version of this St.Petersburg av-solution according to the virustotal finds).

Not so hopeless, I found it on 24 March with DrWeb was updated on 23 March and it was invisible on that date by him. That's just new.

P.S. Updated AV bases - still invisible for Avast

One more invisible and invicible virus, Avast not armed against.

http://www.virustotal.com/ru/analisis/9a034ffa3b0166428feb077523e62201

In the same network. This time DrWeb with actual bases doesn’t see it, but Cure it utility (also DrWeb) does.
Now will write to virus@avast.com.

Hi uniquename,

I done some investigation on this versatile malware, and found these alterations to the registry, that play a part there: found this online:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\KIMS\DSR]
“InstallDir”=“C:\Documents and Settings\Hell*******\K^MS”
“Version”=“v2.0dev”
“DoneOption”=“Notify”

---

ustedes van a tener que editar las \ de la ruta (momentaneamente
la proxima version funcionara diferente) y les quedaria asi:

---

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\KIMS\DSR]
“InstallDir”=“C:\Documents and Settings\Hell\********\KMS”
“Version”=“v2.0dev”
“DoneOption”=“Notify”

They use the antivirus modification tool that makes sure the virus goes under the radar of: A-squared, Avast, AVG, Avira, Bitdefender, ClamWin, DrWeb, ETrust, F-Prot, Ikarus, KAV, McAfee, Nod32v2, Norman, Panda, PC-Cilin, QuickHeal, Solo, Sophos, VBA 32, VirusBuster, they check it against three heuristic signatures, a specific, a base one, and in between a medium one, and then they can change the virus so that it is not longer detected by mentioned av-products. The scanner does not alert, the users is not alerted and thinks he is protected, all parties are happy, new dangerous developments, read what this Prevx spokesman has to say about this development: http://www.prevx.com/blog/117/March---bad-month-in-the-office-for-PC-security-vendors-and-users.html

polonus

That Flash Drive Disinfector link isnt working. And that the exact problem i’m having right now!

Yeah, it stopped working a few days ago. Luckily, there are other places to obtain it (google is your friend).

Try here:
http://www.precisesecurity.com/tools-resources/adware-tools/flash-disinfector/

Thank You so much for the link. Hopefully it solves my problem

That program just froze up my system for 2hours and nothing was done. Does anyone know what else I can do?

I’m sorry that happened. I haven’t used the program yet, so I can’t really help with it. I just know of if because it’s been mentioned many times around here.

Maybe someone else can jump in and help you out further.

I’ve jus plugged in my ipod and my avast isnt getting any virus on it anymore. So apparently the program did work, it just left a folder on my ipod and froze up my system. Thanks for this though.

The program creates a folder to prevent future infection, see this general information on how to run and what it does below.

1. Flash Drive Disinfector
   Information and Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
   [*] Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.[*] The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.[*] Wait until it has finished scanning and then exit the program.[*] Reboot your computer when done.
   Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don’t delete this folder…it will help protect your drives from future infection.