Undocumented USB Worm Discovered: A New Threat with Advanced Evasion Techniques

During a forensic inspection of an old USB drive, a previously undocumented USB worm was discovered. This malware, stored with a deceptive filename and no extension, exhibited unusual behavior by replicating itself multiple times in the "Downloads" folder upon a simple right-click. This behavior was observed even on a fully updated Windows 11 system, indicating the worm's ability to bypass modern security measures. Avast promptly quarantined the copies, confirming the worm's active and malicious nature. The worm employs advanced evasion techniques, including manipulation of .ShellClassInfo metadata and DLL export obfuscation, suggesting a high level of sophistication. Additionally, there are indications of privilege escalation capabilities, which could allow the worm to perform more damaging actions on the infected system. A comprehensive analysis of the worm is publicly available, including Indicators of Compromise (IOCs), detailed behavior observations, a YARA rule, string dumps, reverse engineering context, and a second sample linked to the Andromeda malware family. The discovery of this worm highlights the evolving tactics of malware authors and the need for constant vigilance in cybersecurity. The worm's ability to replicate on a fully updated system underscores the importance of advanced detection techniques and up-to-date security software. Furthermore, the potential link to the Andromeda family raises concerns about the worm being part of a larger, more dangerous malware campaign. Cybersecurity professionals should take note of this new threat and ensure their detection and prevention measures are robust enough to handle such advanced malware.