AutoStart Worm: a new utility, an Extensions glitch, and a review of symptoms

Early Bird Jim Kreinbrink writes: "We have put together a freeware AutoStart Worm scanner called Early Bird. It detects the virus running as a process and warns you to restart with extensions off. It has exact procedures listed in the ReadMe." It should detect A through Evariants. Additional information is available.

Desktop Print Spooler in "other" Extensions folders The worm-related invisible Desktop Print Spooler file (which is not the same as the normal Desktop Printer Spooler file) may appear in the Extensions folder of the plug-ins folder of Photoshop or Illustrator, or any other folder called Extensions. These "Print Spooler" files may not get deleted by anti-virus utilities. If so, you will need to search for them separately (use Find File's Option key ability to search for invisible files) and delete them. (Thanks, Keith Watson and Sean McNamara.)

AutoStart Worm symptoms As we keep getting email about the AutoStart 9805 Worm, it's worth going over its typical symptoms.

Richard Vallens writes: "Worm infested computers will periodically bog down with a huge amount of disk and network activity. After 1 to 2 minutes of seeming to be frozen, normal use returns until the next episode, perhaps 10 minutes later. If you aren't on a network, you won't be tipped off by the little network activity arrows constantly blinking during a seizure, and if you have an internal hard disk without an activity light (or Norton's DiskLight) you may not become aware of the periodic slowdown is from disk activity there. What you will notice is that your computer periodically goes catatonic, and then recovers for several minutes until the next episode."

Several readers note a problem where their Mac freezes. A force quit then results in the following message: "Do you want to force quit Desktop Print Spooler?" Any time you see this name, you have the AutoStart worm! (Any message about a file named "DB" is another likely indicator of this worm.)