The Changeup worm which spreads the Zeus banking trojan has become more prevalent researchers say.
In a six-day period from 23 November Symantec found Changeup detections rose from 8000 to more than 14,000 cases.
The worm, also known as AutoRun, was capable of infecting users' machines that run older Windows operating systems that used the AutoRun feature by default.
But the outbreak of Changeup was not as widespread as some previous AutoRun worms.
In February last year, Microsoft released updates designed to disable AutoRun for users of Windows XP, 2003 and Vista.
Conficker ran rampant for years by attempting to abuse the AutoRun feature, along with other Windows vulnerabilities. Conficker impacted millions of machine worldwide and remained one of the top threats affecting unpatched machines.
Symantec security response operations manager Liam O Murchu told SC victims executable files named 'secret', 'porn', 'sexy' and 'password' within profile directories were signs of infection.
“When it copies itself onto a USB or removable drive, it will copy itself to the same name as legitimate folders, and use that icon,” O Murchu said.
“Then it will set the machine to hide the legitimate folder or file. It's definitely using camouflage tricks. It's not using any advanced techniques, but they can still be very effective for people who are not aware of them.”
Sophos senior security adviser Chester Wisniewski, said malicious code delivered with Changeup varied depending on the location and time of infection.
“The instances we investigated downloaded banking trojans belonging to the Zeus/Zbot family, but can frequently change based on time of day or geographic location,” Wisniewski said.
In addition to disabling AutoRun, researchers advised users to update Windows to avoid infection.