Well, you knew it was going to happen sooner or later. Despite the elaborate security precautions, a new build of Windows 7 has escaped into the wild.
According to AeroExperience, the new build originally appeared in the form of a virtual hard drive, but some other reports I’ve heard suggest that the VHD file has now been modified into a fully installable disk image.
Paul Thurrott has a screenshot gallery that doesn’t show much more than we already knew.
Ed Bott (@ wordpress.com) 
A commenter on a very popular Torrent site (Arrgh!) claims that an executable in the ISO is infected with the Win32.Sober Worm. I have no idea if it’s true, a prank or someone trying to scare people off using unlicensed software. As much as I’d like to try out Windows 7, I’m staying away.
Carl, I’ve seen scans of two systems using two up-to-date antivirus programs, both of which came up clean. Of course, I would not assume that a random ISO on a random torrent site is the same as the one that I saw tested. I certainly would never install any executable, much less an operating system, that I downloaded from a torrent site. That’s like painting a target on your chest and then standing in front of a firing range.
Ok I’m scanning Windows 7 build 6956 using Windows defender and got this message during scan ” Premliminary scan results show that malicious or potentially unwanted software might exist on your system. You can review detected item when the scan has completed.” Is this normal in the beta build?
TJ, that is not normal. If you downloaded something from a torrent, there is a strong likelihood that it contained something you don’t want.
Follow-up: It appears that this message may be just a bug in the implementation of Windows Defender in this build of Windows 7. After the scan completes, it doesn’t show any malware or potentially unwanted software discovered, correct?
yes it doesn’t show anything after Windows Defender finish the scan.
I’ve run Spybot twice on Windows 7 Build 6956 (dualbooted easily with Vista) which is spectacular, light and fast. The Win32.Sober dialer which it found both times in System32/conhost.exe is not removed when Spybot “fixes” it, prob since it is a system file. However, the torrent comments make a convincing case that it is a false positive. I’m about to run Bitdefender online scan on it. Problem is that many av’s interpret various hacks as malware, which of course they are to billionaires.
Greg, I am reasonably certain this is a false positive.
Avast boot, Bitdefender online and Eset Nod32 downloaded all came up clean with my 6956. The only question that lingers is a forum post from a guy who showed a screen shot of his Processes list with about a dozen running conhost.exe processes, which he sez he turned off without effect. That was kinda scarey when you consider that the top of my Task Manager has now been lopped off and only displays the running programs box, keeping me from even checking my own running processes. Hey, I’m paranoid, but wtf?