Virus or No Virus?
Last week on two seperate occasions i had the kaspersky av server dish out virus warnings. After investigating turns out the warnings were for the same user and for two different usb keys. Problem is she is running a mac at home and that the usb keys were brand new and only touched her mac and pcs in school.
Kaspersky flagged up the following:
Event Detection of viruses, worms, Trojans, hack tools happened on computer in the domain at Fri Sep 18 08:07:05 2009 File E:\autorun.inf: detected virus 'Worm.Win32.AutoRun.gsx'. User: , computer: localhost.
My query is this, is kaspersky just wrongly flagging up an autorun exe as a virus or is it a virus? The user does not have any av at home on the mac.
Are there any known mac viruses about?
a Kaspersky search points me to here - Viruslist.com - Worm.Win32.Autorun.cpe but its for windows.
On all domain pcs i have disabled autorun and exe being run via gpo.
I dont know whether i need to chase this any more or put it down to kasperksy doing its job.
Should i advise the staff member to get an av for a mac?
The usb key is not useable on the computer as it does not load. I might give her a new usb key that way i will know it was clean when i gave it to her and the ones i give out do not have any software to load to run.
Recycler is a problem for AVs to remove, even NOD32. To remove it I took the HDD out and put it in our linux machine, and removed it manually otherwise it would keep showing up. Worked each time (same with the Bro Act virus!).
Hope that helps.
No matter the computer, its always worth having AV. There are viruses now for all OSes as far as I'm aware - including a handful of proof-of-concepts for phones.
Originally Posted by gmiller
"Are there any known mac viruses about?"
Regardless of what anyone tells you No. AFAIK there have been some mac specific viruses 'created' in laboratory environments only. There has been a slight increase in mac specific trojan horses and malware. From zero to possibly five or six in the last 1-2 years? To be honest I don't keep a track of them as they are easily removed and don't hang around for long.
This does not mean to say you should not protect mac clients in a Windows environment. Viruses can sit inert on a mac client and transfer across a network or memory stick or by some other means to infect PC clients very easily.
In education it makes sense to add mac clients to your AV strategy. You have no control over what students get up to away from school. I've yet to meet a teenager that is not using BitTorrent, Kazaa or Limewire or something else to download or share information with someone else?
Couple this culture with a memory stick and easy access to macs and PCs at school and you could have a recipe for disaster. I know of one location where the recent conflicker virus was introduced this way.
The good news is the AV strategy you have in place seems to be working.
Antonio Rocco (ACSA)
She must have got that virus from a PC OR it was already on the drive when she bought it OR she downloaded an infected file on the Mac and perhaps ran a virtual machine or bootcamp. It will not affect a mac at all as it is a windows virus (.exe).
It is possible that macs (and linux) can be affected by a rootkit, trojan (perhaps from pirated software) or weak passwords although this is fairly unlikely. There are no known viruses or worms for OS X.
eg. HP Proliant USB key riddled with worms ? The Register
As mentioned this is certainly an infection, and one that wants looking after. It's one of a fair few Conficker-a-likes, and can prove to be a right pain in the backside for your network and/or workstations.
Look out for any autorun.inf on USB pens. A couple of big brand ones might have them legally, but open them up and see whats inside. More often than not, you'll get what you have - it pointing to an EXE file in a fake Recycling bin folder. The two most common I'm picking up recently is recycld.exe and INFO/INFO2 files. These will spread like wildfire on USB pens via infected machines (almost certainly not macs) and, at risk of repeating someone else, the best solution is to get hold of a bootable linux live CD (Ubuntu is a good bet) and use that to boot any PC, and then to clean USB pens, Just boot up, insert pen drive, delete the autorun and recycld folders. Make sure you press ctrl+H to show hidden files.
If you see a pen with lots of hidden .cmd .com or .exe files in the root, you have a more serious infection which is either akin to, or actually Conficker - and time to start serious quarantine and disinfection procedures.
I've got a little cheat sheet for staff members with some website addresses to obtain trustable, free anti virus and anti-malware software for their home systems. It's surprising how many folks run Norton from buying it then never, ever update either it or the subscription (probably a good thing in the long run!) Although their home system isn't our responsibility, it makes you look good. After all, it's for the good of our networks :D
Hi Thanks for the answers. Will clean the keys and recommend the user gets an av for the mac.
Anyone recommend a good one for a mac? I will search the forum in the meantime.
Told staff member to download http://www.clamxav.com/ and run it - she has reported back this morning that there was some kind of autorun virus on her mac. A good warning to others about the possible transfer from unprotected macs to pcs via usb keys.
I've had macs off and on since 1991 and they seem remarkably resilient to onslaughts both on and off the net. Have been on the internet for 10 years with NO problems at all as yet (apart from current mac beginning to get past it at 6 years old and not being able to update java to newest version).
Originally Posted by gmiller
Oh, and Kaleidos has issues, but I'm not changing my computer yet just so I can access THAT properly at home!
i always check bleepingcomputer.com if i dont know what something is