WIN32\injector.po W32/Hamweq.worm.as

Hi guys back in November some of the systems that my company use got hit by W32/Hamweq.worm.as which spreads via USB. It creates a memory resident that resides in a hidden location in C:\SABER\v2009\SABER.exe. The v2009 folder appears to be recognised as a recycle bin. The memory resident drops onto any USB stick that is inserted and also creates an autorun to propogate to further systems.

This was a real pain to fix but I managed to resolve with a little help from our corporate IT. After this I arrange for all the latest OS patches to be installed and also purchased a copy of NOD32 Business for the system that I manage.

A coleague has come to me this morning to say that they have found the virus again on another of their systems. I have installed NOD32 on these two PCs as I had 3 unused licences. and have successfully cleaned one. NOD32 pics up the detection on the other PC but has identified it as win32\injector.PO which is supposedly different but it does still appear to be using the SABER file and folder. I expect this is an alias/mutation. NOD requires a reboot to clear the virus however it is still present after reboot.

I have looked in Windows Explorer to see if I can find the file but it is not listed (even with show hidden files on). If I type C:\SABER into the address bar it resolves and shows an empty folder. If I type C:\SABER\v2009 I get the contents of my recylce bin shown shown but no Saber.exe.

I emptied the recylce bin and C:\SABER\v2009 is now empty but Saber.exe is still being detected.

I have booted to safe mode and navigated to C:\SABER\v2009 in dos prompt and run the dir command. This does report saber.exe (although it wouldnt report either of the containing folders) I was able to delete saber.exe in dos and the NOD32 Scan is now clean.

I am a little concered at the presence of these seemingly VERY hidden folders and whether there is anything else to investigate?

 

I did scan through that but glossed over hidden folders as I had enabled them. I didnt realise that there was a second option for hiding files!

Thank you