Today SophosLabs received a new worm from the field which was quite similar to the W32/SillyFD family, but different enough to make it a new family. Detection has been added as W32/Amca-A.
The worm is written in VisualBasic by some Turkish hackers. The name is coming from a reference in the code saying “
It has several components packed into a WinRar SFX. Besides installing itself into the
system32 folder, it creates two simple command files
<System>\acd2.cmd which are used to share the drives of the infected machines. These files contain a simple command:
net share PATRON1=d:\ /unlimited /remark:"RockStar"
Also, similarly to the SillyFD worms, it spreads to USB drives, creating 2 hidden files there:
Autorun.inf. This latter one is used to autorun the exe when the drive is connected to a new machine.