"I ran into some of your old friends the other day, they wanted me to
send you this."
The email contained an attachement named "rememberthistime.rar"
It seemed a legitimate mail in first glance, opening the rar file, I have found a an application seemed to be a screen saver named "rememberthistime.scr". Though it is highly possible that the friend would have compiled a screen saver with old photos, I have the policy of not opening executable file from emails, no matter what it claims to be, so didn't bother to open it.Soon he send another mail saying that,it is a virus.He accidentally opened the attachement, which made his firefox to crash.And later only realised that email has been send to all the contacts in his account.
Google search about the file confirmed the suspicion, with reports from many people saying that they had the same problem.It seems to be a new virus as it is not detected by many antivirus products. (See the report from Virustotal) only 17 out 41 product detects it.Especially Avast and AVG, commonly used free antivirus products couldn't detect it, which leads to the wide spread.
As of now I couldn't find much information about the behavior and removal of this particular malware.
I have done a quick analysis of the binary.For the exact details go through the links ( Anubis,ThreatExpert)
To summarize the findings
1. It creates a startup registry entry as well as following executable are copied into Windows directory "services.exe" and "UNSTALVTB16.exe"
2. Following process were created by the it "errdlg.exe","SoundMan16.exe", SoundMan32.exe","services.exe"
Removal Instructions
1. If you have accidentally clicked on the file, immediately logg off from all the signed in accounts, as it seems the malware uses signed in credentials to send mails to all your contacts like gmail,yahoo etc..
2.Open the task manager and end the above processes if exists.
3.Open regedit, find and delete the following entries "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}", "HKEY_LOCAL_MACHINE\SOFTWARE\Application.exe","HKEY_LOCAL_MACHINE\SOFTWARE\Application.exe\Application"
4.Delete the files "services.exe" and "UNSTALVTB16.exe" inthe Windows directory
5.Update the antivirus you currently uses and do a full system scan.
6.Its a good idea to install BitDefender/SpyBot S&D/Kaspersky and do a full system scan as it is known to detect and remove this malware.
Hope this will help someone to remove the malware in time before it does further damages.
[Update just now got the analysis from Joebox, upon execution the malware seems to produce an error like this]
Removal Instructions
1. If you have accidentally clicked on the file, immediately logg off from all the signed in accounts, as it seems the malware uses signed in credentials to send mails to all your contacts like gmail,yahoo etc..
2.Open the task manager and end the above processes if exists.
3.Open regedit, find and delete the following entries "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}", "HKEY_LOCAL_MACHINE\SOFTWARE\Application.exe","HKEY_LOCAL_MACHINE\SOFTWARE\Application.exe\Application"
4.Delete the files "services.exe" and "UNSTALVTB16.exe" inthe Windows directory
5.Update the antivirus you currently uses and do a full system scan.
6.Its a good idea to install BitDefender/SpyBot S&D/Kaspersky and do a full system scan as it is known to detect and remove this malware.
Hope this will help someone to remove the malware in time before it does further damages.
[Update just now got the analysis from Joebox, upon execution the malware seems to produce an error like this]
