My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


212 Kb


The presence of


The presence of autorun.inf on removable drives that contains

open=System\Security\DriveGuard.exe -run
shell\Open\Command=System\Security\DriveGuard.exe -run
shell\Explore\Command=System\Security\DriveGuard.exe -run

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Lita Catalin, virus researcher

Technical Description:

This worm tries to impersonate a friendly application one that wants to protect your removable drives from other pieces of malware.

The malicious file would copy itself to %programfiles%\FlashGuard\FlashGuard.exe

It also includes a readme file that reads:
"This tiny software is used to protect removable storage devices from
worms that are spread from one PC to another. "

It creates the following registry keys:
    with the value "%windrive%\FlashGuard\FlashGuard.exe" -run

    with the value "%windrive%\FlashGuard\FlashGuard.exe" -run

Copies the readme file to %windrive%\FlashGuard\ReadMe.txt

It checks if any of the following processes are running,
and if is not one of:
    \Program Files\Internet Explorer\iexplore.exe,
the process would terminated and the file would get renamed with a ".bak" extension

this worm will remove all files from C:\heap41a that are related to other malicious programs

it enables TaskManager if is disabled

will infect any removable drive writing autorun.inf and a copy of itself
in %drv%\System\Security\DriveGuard.exe with hidden attribute


    will download from http://[removed]/lndexnew.jpg
    and http://[removed]/lndexnew.txt
    executable files that will be copied to temporary directory with a random name
    and reg key HKLM\software\microsoft\windows\currentversion\RunOnce\temp_cleanup
    with value  "%temp_path%\[random].exe" will be created
All downloaded files are backdoors