Last week sometime at my job, we started getting reports that an a.exe file was causing errors in the FAT-16 sub system. Upon further inspection, we found that this was a virus or malware, one not very well documented as well. In fact, we can’t find anything about it in the past year, only 2009 and earlier. It uses the autorun capability of windows to install itself on a system at least, as well as seems to jump through shares similar to how a worm works. It completely destroys the DHCP, TCP/IP, embeds itself in the prefetch files, temp folder files, tasks, com+ subscriptions, hidden and protected system files/folders, and many other things including google update registry entries, and possibly broadcom controller registry entries. An installer for it can be found in the system32 folder.
We have developed a fix that so far has yielded a 25% success rate, but it keeps coming back on most of the other machines, meaning we aren’t able to completely remove it and it is changing slightly from install to install. At this point we are completely wiping and reinstalling windows on any infected machines.
Trend wasn’t able to catch it getting installed, so we started looking at other antivirus solutions to try and catch it, Comodo AV free being one of them. It was able to contain most of it, but it wasn’t able to stop it from installing and the damage to windows and other programs is extensive. A windows repair/upgrade is often necessary to recover windows.
I have a zipped and password protected installer for the virus, a.exe. I just need to know who to send it and our notes on it thus far to. We know this isn’t the cause and removing a.exe alone does not clean the system.
I did have the installer (a.exe) submitted to comodo since the file came up clean on a scan, but it still doesn’t stop the virus from getting installed as of last Friday, 4/30/11.
Please advise. I did not see any other place to submit the file except through comodo itself and this likely needs more personal attention than updating the antivirus files to remove a.exe(which seems to be all McAffee did). There may be some links and a font file related to this that have been caught and quarentined on a usb flash drive.
(edited for spelling and syntax mistakes. sorry, it’s been a long couple of weeks.)