Modules of current malware were first time detected by "VirusBlokAda" company
specialists on the 17th of June, 2010 and were added to
the anti-virus bases as Trojan-Spy.0485 and
Malware-Cryptor.Win32.Inject.gen.2. During the analysis of
malware there was revealed that it uses USB storage device for propagation.
You should take into consideration that virus infects Operation
System in unusual way through vulnerability in processing lnk-files (without
usage of autorun.inf file).
So you just have to open infected USB storage device using Microsoft Explorer or
any other file manager which can display icons (for i.e. Total Commander) to
infect your Operating System and allow execution of the malware.
Malware installs two drivers: mrxnet.sys and mrxcls.sys. They are used
to inject code into systems processes and hide malware itself. That's the reason
why you can't see malware files on the infected USB storage device. We have added
those drivers to anti-virus bases as Rootkit.TmpHider
and SScope.Rookit.TmpHider.2. Note that both drivers are signed
with digital signature of Realtek Semiconductor Corp. (www.realtek.com).
Thus, current malware should be added to very dangerous category causes the risk
of the virus epidemic at the current moment.
After we have added a new records to the anti-virus bases we are admitting a
lot of detections of Rootkit.TmpHider and
SScope.Rookit.TmpHider.2 all over the world.