evolved virus?

Last week sometime at my job, we started getting reports that an a.exe file was causing errors in the FAT-16 sub system. Upon further inspection, we found that this was a virus or malware, one not very well documented as well. In fact, we can’t find anything about it in the past year, only 2009 and earlier. It uses the autorun capability of windows to install itself on a system at least, as well as seems to jump through shares similar to how a worm works. It completely destroys the DHCP, TCP/IP, embeds itself in the prefetch files, temp folder files, tasks, com+ subscriptions, hidden and protected system files/folders, and many other things including google update registry entries, and possibly broadcom controller registry entries. An installer for it can be found in the system32 folder.

We have developed a fix that so far has yielded a 25% success rate, but it keeps coming back on most of the other machines, meaning we aren’t able to completely remove it and it is changing slightly from install to install. At this point we are completely wiping and reinstalling windows on any infected machines.

Trend wasn’t able to catch it getting installed, so we started looking at other antivirus solutions to try and catch it, Comodo AV free being one of them. It was able to contain most of it, but it wasn’t able to stop it from installing and the damage to windows and other programs is extensive. A windows repair/upgrade is often necessary to recover windows.

I have a zipped and password protected installer for the virus, a.exe. I just need to know who to send it and our notes on it thus far to. We know this isn’t the cause and removing a.exe alone does not clean the system.
I did have the installer (a.exe) submitted to comodo since the file came up clean on a scan, but it still doesn’t stop the virus from getting installed as of last Friday, 4/30/11.

Please advise. I did not see any other place to submit the file except through comodo itself and this likely needs more personal attention than updating the antivirus files to remove a.exe(which seems to be all McAffee did). There may be some links and a font file related to this that have been caught and quarentined on a usb flash drive.

(edited for spelling and syntax mistakes. sorry, it’s been a long couple of weeks.)

Please Submit the file here

File submitted. Let me know if you guys need anything else.

-edit after move-
So this is where this kind of thing goes… Thanks, I’ll keep that in mind for the future, working so much is taking it’s toll…
File Info
Name Value
Size 9636
MD5 bef2f89567ab610b3fbdf5a76196c4e7
SHA1 b6438296c0c9780754c77697533a4b94938d3482
SHA256 00adeba541b2d1f39bf811791afd31b8f38b83a310ed5d9eda5ddee587304874
Process Failed

• Verdict
Auto Analysis Verdict

MD5 : bef2f89567ab610b3fbdf5a76196c4e7
SHA1 : b6438296c0c9780754c77697533a4b94938d3482

After going through the trouble of submitting it, it looks like the file is a crippled version of the trojan, possibly not fully downloaded before the system cutting out or otherwise not fully created. The file I was attempting to send is now being detected as Trojan_krypto_smii by Trend. I would link the actual file which was first reported on 4/29/2011, but I don’t have the patience to sift through and find it right now.

Hi falstagg,

The file you submitted is a plain html page with no malicious characteristics or references to actual malware file. In order to verify the malware application, please submit the binary files at Comodo Antivirus Database | Submit Files for Malware Analysis

Thanks and regards,