Symptoms

Removal instructions:

Analyzed By

Technical Description:

This worm may come inside a NSIS (Nullsoft Installer) file. When this file gets executed, it will first check the existence of the following registry key:

HKEY_LOCAL_MACHINE\Software\QucikWatch, and then it will drop and execute a file named QuickWatch.exe inside temp folder. This file will first create an autorun.inf file in the root of every accessible drive. The autorun.inf file contains several lines of randomly generated garbage ASCII characters, in order to make detection more difficult. Two text lines betray, however, its purpose:

Shellexecute="RECYLCER\Random-name.com drive-letter:\"

shell\Open\command="RECYCLER\Random-name.com drive-letter:\"

The random name will be of the form: S-3-0-68-100021457-100021691-100001035-4746.com, where each number seems to be randomly generated. Any time the infected drive is accesed, the worm gets executed as well, and it will attempt to replicate to other drives, including USB or network drives. It will also launch into execution msiexec.exe, make a copy of x:\windows\system32\msi.dll in %temp% folder, patch it by replacing a short sequence of instructions, and, if ran manually, it will delete its own file.