W32.Gammima.AG is the same virus which made itslef to Orbit with one of the NASA laptop. It is now in one of my laptop and giving hard time.

W32.Gammima.AG creates a file called "kavo.exe" in System directory and also adds itself to registry.

It also creates [RANDOM FILE NAME].dll in C drive or %Temp% which is a copy of Hacktool.Rootkit.

Then the worm copies itself to all drives connected or mapped to your computer as following file - [DRIVE LETTER]:\ntdelect.com

It also creates [DRIVE LETTER]:\autorun.inf file so that it executes whenever the drive is accessed.

Removal Procedure:

- I disabled the system restore and the searched for kavo.exe file deleted it from computer and also from registry.

- Then deleted the random files and autorun.inf file created in C drive and other removable drives. Be careful while deleting these files. There are some system file in C drive which is required by System.