Bad, bad worm

I realize I was told (via PM) I wasn't qualified to post in this forum and to refrain.. But I need answers.

There's a bad worm circulating around. We've seen it dummy 3 computers in two days. It seems to work fast, within 24 hours of infection, and it completely destroys all Windows system files. AVG finds it, hits 2400 infections and says the quarantine is full. It replicates as fast as AVG can delete them.

The only other info that I have is that you'll see the wallpaper, but no start bar, icons, anything. This is in Safe Mode and Regular mode. You can boot Safe Mode with a Command Prompt, and that's about it.

I really, really need to know what it is and what is effective against it (besides formatting).

 

That's fine. I just need to know what the hell it is. It's exceptionally vicious. I'm sort of thinking a conficker variant.. It certainly has similar attributes.

I need to know what this is, asap.

 

What does AVG identify it as?

If you can upload some samples to my submission channel for analysis I'll see what I can do about further info.

 

I can't remember the name. Trojan something-or-other if I recall correctly. They popped up and disappeared so fast it was ridiculous. The next time I get one in, I'll try and confine them. Unfortunately the computers were wiped as we had absolutely no way of cleaning them. Remote scans failed. Registry recoveries failed. They didn't end up in quarantine. I'll try and pull a drive before it's formatted and see if I can collect a couple of them for your analysis. Thanks.

It makes me think that there's a main infection that's undetectable. Unfortunately I have no way of confirming that at the moment.

EDIT: Wait a second.... I have a clone of one of the drives. We were preserving the client's databases so we cloned the drive. I wonder if it's on there?

 

A clone would do nicley. Does the software used provide for extracting files from the image?

 

It was a clone. ie an identical copy. I can plug it back into the same computer and simply boot it up... that is, if I hadn't already delivered the computer back to the site.

 

Once more, it's an identical image, an exact copy, that I can boot from. I don't need a special tool to read it.

However, I haven't had time to sit down more than a few minutes all week, so I haven't had time to plug it in to pull some of the infections off it for analysis. I hope to do so this weekend.