Anyone else seen anything about this?
Interesting. For something that is meant to drop in rootkits and send spam, I wonder why it would shutdown a "valuable" host - unless the malware writer either,
a) semi-sympathizes with virtualization, therefore is shutting the machine down instead of infecting it, or,
b) has something further against virtualization, trying to tarnish virtualization by specifically targeting its availability?
Why not instead detect that the system is actually a virtual machine and then mask its rootkits blue pill style?
Had this doesy on my home PC. I used Symantec Enterprise (I think it was 😎 with system restore turned off in XP and it got rid of it. I had VMware Workstation installed and it rebooted my actual PC a bunch of times.
No, actually the reason is very straightforward. Most of today's antivirus/trojan/whatever-computer-badness research is done in VM's these days. So the trojan author just is trying to hide its trojan for researchers. This is common practice these days.
Detection methods for checking if you are running an application within a virtualized host are shared and published on the internet. There are web sites targeting virus authors that have more details on this including programs and other tips. I can jot those url's down here, but don't really want to give pointers to the script kiddies.