Undetected Autorun/Injector Variant on the Loose

A new variant of an Autorun worm is on the loose, probably created by another childish and angry ex-lover. The little multithreaded beast injects into windows explorer, and attempts to communicate with one of several Irc servers at June.IRCdevils.net, June.helldark.biz, and June.a7aneek.net with a “VirUS/Virus” user/pass and a “VirUS-randstring” nick.

We noticed it this morning on multiple machines, and it seems to be spreading. The worm injects itself into the Windows explorer shell, and from there attempts to update multiple locations in the registry and removable drives like usb sticks with SETUPDATAJune.exe.
It includes a nasty message in the accompanying autorun.inf file with a long annoying string.

It was packed with Armadillo, which potentially made it difficult to detect for the AV vendors — none detected it this morning, and this afternoon seems to bring only one or two vendors declaring it “suspicious” since we uploaded it to VirusTotal for sharing. Be sure to add true client-side behavioral protection to your system, and as always, use caution when sharing usb sticks with others.

We are seeing it running on systems alongside FakeAv installers, including “System Security”, where we see the fake scare tactics blaring “WARNING! 38 infections found!!!”. The two may be related, we are investigating.

Which of course, continues to nag the user with “System Security Firewall has blocked a program from accessing the internet” and pops its nag system tray balloon with “System Security Warning Your PC is still infected with dangerous viruses”

This entry was posted in The Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>