# "Vosate Nofooz" - an almost unknown iranian malware [ part 1 ]

Well, after took some glance at this malware, I've been decided to write up something useful for this kind of almost unknown malware .
the term "unknown" is not referred to something dangerous with the high level risk !
actually this malware doesn't dangerous as people have thinking about it, this kind of malware is difficult on the cleaning phase .
the malware doesn't act as so dangerous code, but it's robust in the field of self-defense .
the technical name of this variant is "W32/AutoRun.gv", as you can see and search over various search engines there's a few results available to this Worm .
the executable name of this malware is "explorer.exe" .
the actual path is "C:\explorer.exe", it's a hidden file which you can see it with the help of 3rd party anti-malware softwares such as Malware defender .
yes, you guess right ! it's an autorun worm, whenever you put your mass storage device onto the usb port it will spread itself to the usb drive with the following name and format:
%RemovableDrive%\Autorun.inf
%RemovableDrive%\explorer.exe

there are also other files that is act as this worm :

%Temp%\MMBPlayer\i.JPG
%Temp%\MMBPlayer\Systools.dll
%Temp%\MMBPlayer\wallpaper.dll

after getting execution this worm will change your wallpaper to an image located at : %Temp%\MMBPlayer\i.JPG

in the next part I will put an in-depth analysis of this malware, and the important part "how to clean my system !?", then if you are infected with this variant follow me in the next part, it's not so hard to kill and clean .
regards,
- Genius

### the executable is already

the executable is already available at offensive computing database, I've been added it .
search for "explorer.exe", the date of submission is : 2009-11-19 13:52:16.291749
well , you can now download it ...

### Checksum helps people find it

If you could post the checksum that lets people directly download it from our site.

### MD5 checksum :

MD5 checksum : 582b1daa5d984bb98d4d98f6132fb9f4
is it ok !?