Because it's very new, the earliest date I've found is Oct. 25th, but most
HJT logs containing it are from within the last week. Since it appears to be
a downloader rather than a specific known piece of malware, it's taking time
to get classified.
It appears that at least some distribution of the NTOS.EXE file itself may
have occured via compromised Invision Power Board based forums, meaning it
could have been installed when logging into a web forum, even a generally
trusted one. Both exlploits within the IPB platform code and PHP exploits
commonly place such forums at risk of compromise, which you can see could be
very dangerous.
As for Robin's apparent infection, Stu is absolutely correct, she should
post an HJT log to a good Malware Removal forum to double check. Though most
malware is noisy and visible, trojans often hide and/or collect info
silently. Since the downloader used was new and only recently known,
delivered malware could be also.
What you're seeing is the relatively less common discovery of a new class of
malware, something totally unknown to the antimalware community, so unlike a
new version of something already known, the process to identify and classify
takes time to flow through the back channels. That's why VirusTotal and other
front channels are so important, since they help to move the info faster by
providing the potential malware to everyone in their respective community.
Bitman