This detection is for a worm that spreads via removable USB media, and is also a rootkit.
Aliases:
Trojan-Downloader.Win32.VB.anf (Kaspersky)
BackDoor.Generic.1563 (Doctor Web)
Win32/TrojanDownloader.VB.ANF (ESET NOD32)
W32/UsbStorm.A.worm (Panda)
Characteristics -
Note: File names and registry entries listed here may vary with different versions of the malware. Hence this is a generic description.
Upon execution, this malware copies inself into the following location.
C:\Windows\system32\internt.exe
This file is then executed and installed as a rootkit, such that its process is not visible under the process list.
It modifies the following registry entry for loading at system startup.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit"
Data : C:\Windows\system32\userinit.exe, C:\Windows\system32\internt.exe
It then copies itself, along with an autorun.inf file, to all the removable USB media.
Symptoms -
Presence of the files and registry entries mentioned.
Method of Infection -
This worm spreads by copying the following files to removable USB media.
autorun.inf
CN911.exe (copy of the worm)
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Additional Windows ME/XP removal considerations
McAfee