Rubble worm shoots itself in the foot

I came across a new worm today which is a bit too keen to spread for its own good. In order to spread, W32/Rubble-A scans local and removable drives and replaces any files it finds with itself, stealing the original filename and adding an EXE extension.

This might be an effective ploy, particularly on systems where file extensions are hidden for known file types (which is the default if somewhat insecure setting within Folder Options in Windows), as the user might not spot that anything was amiss, at least not immediately. It would eventually become clear, as the user would surely notice when important documents are completely lost when they are overwritten…


Can you spot anything wrong with this picture? 

A keen eye may spot a big flaw in this worm’s spreading strategy – it overwrites any file it can including important system files such as ntldr – the NT loader. As its name might suggest, this file is crucial for loading Windows, and without it the system will not boot!


This might hinder the spread of this worm somewhat…

Sadly if you are infected you will probably lose a lot of data, as well as having to reinstall Windows :o(