We know the infection Houdini – Dinihou everyone call “USB shortcut Virus.”
A new variant begins to appear, it is slightly different because it uses a different extension:
.wsf (Windows Script File).

This programming language allows mixing JScript and VBScript scripting languages into a single file, or other scripting languages.
These types of scripts can also be used to connect many other external scripts together with a tag system as HTML.
This leaves a good margin of evolution to this infection ..

Like the previous version, the malicious script is encoded multiple times :

UsbFix detect and remove this variant, for now only the one below is known but UsbFix is set to detect this variant in all form as possible.

UsbFix Detection: Microsoft Excel.WsF

Deleted! C:\Users\%Username%\AppData\Roaming\Microsoft Office\Microsoft Excel.WsF
Deleted! J:\Microsoft Excel.WsF
Deleted! HKU\S-1-5-21-1222349982-3771650499-2065109334-1000\Software\Microsoft\Windows\CurrentVersion\Run|Microsoft Excel
Deleted! J:\CO.lnk
Deleted! J:\.lnk
Deleted! J:\RECYCLER.lnk
Deleted! J:\TO CHECK.lnk
Deleted! J:\USB Show.lnk
Deleted! J:\DropboxInstaller.lnk
Deleted! J:\Eliminar-Virus-y-Accesos-Directos.lnk
Deleted! J:\REVISTA 174.lnk
Deleted! J:\Mensajes 1 de abril.lnk
Deleted! J:\Logo para la Fiesta de la Francofonía.lnk
Deleted! J:\Files.lnk
Deleted! J:\Abril 2.lnk
Deleted! J:\Autorun.inf.lnk
Deleted! J:\Abril 3.lnk
Deleted! J:\Abril 4.lnk
Deleted! J:\Abril 5.lnk
Deleted! J:\.Trashes.lnk
Deleted! J:\.Spotlight-V100.lnk
Deleted! J:\.fseventsd.lnk
Deleted! J:\Regiones de Colombia.lnk
Deleted! J:\Abril 7.lnk