Sounds like it could be Conflicker, varient C, D or E (associated with the Waledac family of malware and its Storm botnet). "E" was discovered the beginning of this month whereas "C" and "D" have been around for a while.
Also note that a new tool to rewrite viruses as polymorphic (and running in memory) has been in the wild for several months. This has made it fairly easy to recyle older code into new threats very quickly.
Symantec published this in their July analysis:
This month’s analysis reveals a significant increase in activity related to what may be described as a aggressive and rapidly changing form of generic polymorphic1 malware. With one in 280.9 emails identified as malicious in July, the rise accounted for 23.7 percent of all email-borne malware intercepted in July; more than double the same figure six months ago, indicating a much more aggressive strategy on the part of the cyber criminals responsible.
The report shows that the malware is frequently contained inside an executable within the attached ZIP archive file, and often disguised as a PDF file or an office document, for example. “This new aggressive approach to distributing generic polymorphic malware on such a scale should be concerning for many businesses, particularly for those who rely solely on more traditional security countermeasures, which this type of malware is designed to evade. One example of this technique involves changing the startup code in almost every version of the malware; subtly changing the structure of the code and making it harder for emulators built-in to many anti-virus products to identify the code as malicious.”
“Polymorphic malware is a way for malware writers to write their malware so that each particular malware is different from the last. So, although the malicious code does the same thing – infect your computer – each program that the malware writer is producing is acting in a slightly different way”, explained Lee, senior software engineer at Symantec.cloud.
For example, when varient C is executed, the worm will copy itself as a randomly named DLL and copies itself to:
[System]\randomname (preferred location) or
[Program Files]\Internet Explorer\randomname or
[Program Files]\Movie Maker\randomname (50% chance of each), or
[Application Data]\randomname, or
[Temp]\randomname
(Sounds familiar, doesn't it?)
Some GENERAL notes about current polymorphics:
> Can be memory resident (which is why I use a Live Linux disk for removal)
> New threats are created very quickly (i.e., zero-day exploits)
> P2P systems and email attachments are popular attack vectors
Regards,
GEWB