Ok, I found this interesting worm on a friends heavily infected PC. It creates autorun.inf files to infect all partitions, drives and USB sticks and makes its copies here n there and acts as a file infector too. Connects out as well. A very interesting feature is that this worm minimizes or hides working windows/ GUI of many security software and system analysis tools like MBAM, CFP configuration windows, Process Explorer, Gmer and many others. On the infected system I was unable to run any system analysis tools or antimalware except HitmaPro, SAS Portable and Panda Cloud AV. It stopped me from using MBAM, Gmer, Process Explorer, ThreatFire and some other tools. Ok, what is the bypass: 1- For CFP and MD, it,s a partial bypass. Once allowed to execute and make its copies CPF and MD can,t intercept and stop the worm from hiding the windows/ GUI of Process Explorer and some other toools/ software. It,s very interesting as I remember not long ago, there was a POC discussed here which was able to hide GUI of any application and almost all HIPS at that time failed to intercept this behavior. It,s very interesting to see such behavior in a malware that is infact in the wild. 2- More interesting, I run the worm as untrusted inside GesWall. Still it was able to hide/ minimize the GUI of ProcesssExplorer running as trusted. SBIE handled this well. I was not able to test DW though.