Since staff and students have returned we've had problems where USB flash disks keep creating an autorun.inf which points to recycler, which I guess means that a recycle bin is being created on the removable media. The autorun.inf, or what it's try to execute is blocked by the software restriction policy. This makes it pretty awkward for users to access their disks.
Has anyone seen this, got any suggestions? thanks
it's a trojan, if you get rid of it effectivly let me know how.
http://www.edugeek.net/index.php?nam...wtopic&t=10847
http://www.edugeek.net/index.php?nam...wtopic&t=10834
anyone got any good ideas for preventing infection in the first place?
I have disabled autorun in registry for all drives that helps
on writable server shares i have created a fake recycled folder and a empty autorun.inf and locked them so they cant be overwritten to stop it spreading.
If your using Sophos then you will have to add .INF as an extension to be scanned
PS. this one is a pain in the ARSE
Thanks for the response, I'm not sure if this is the same issue. This is the contents of the autorun.inf that we have appearing:
Does this look like a different issue? ta[AutoRun]
Open= .\RECYCLER\INFO
shell\Open\command= .\RECYCLER\INFO
shell\open\Default=1
shell\explore\Command= .\RECYCLER\INFO
different virus same attack vector though
what antivirus are you using?
make sure autorun is disabled for all drives to stop it spreading because when it gets on a network share. BLAM all clients reading that share with autorun enabled will get infected
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000ff
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000ff
if it gets on a network share then check who the owner of autorun.inf is and that will lead you to any infected machines
I guess I just assumed it wasn't a virus because there was no mention of a file with a .exe extension, but since it's called by open\command it doesn't need one.
It sounds most like this one, I'll look into it further next week.
We're using Symantec AVCEops: but I'll try the Trend Micro online scanner on some suspect machines. cheers.
It looks like our AV is now cleaning this properly (W32.SillyDC as Symantec classify it). The executable on the computer seems to be c:\windows\system32\RUNDLL64.exe in this instance.
Im having plenty of this with Sophos at present! Its now decided to finally think that Sunflower Multimedia Science is virus riddled, but when i put it back and manually scan it its clean, but 48hrs later (aka 2 daily scan jobs later) it then decides its virus riddled again! The virus its spotting is about 4 months old as well! and its only just found the blooming thing. I must admit I am getting very fed up with it Sophos at present.
I've gotten one of these now
Got it on my admin machine when I found a lost memory stick in a computer room yesturday and was going to check for an owner. Neither AVG nor Kaspersky seem to be able to find it. I'm re-imaging that machine but that doesn't help the memory stick.
It seems to put an autorun.exe in the recycler and run it from there but when I look in the folder there is nothing there...
Anyone know of a removal tool for this one.
Code:[autorun] open=RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorun.exe icon=%SystemRoot%\system32\SHELL32.dll,4 action=Open folder to view files shell\open=Open shell\open\command=RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorun.exe shell\open\default=1
Update.
I eventually tracked this down to a fake version of jusched.exe the java VM but in C:\WINDOWS\ instead of Program Files\Java.
Having terminated that process I'm no longer getting the file replication.
For security tho since the autorun.exe on memory stick was never visible to the file system I think I'm going to rebuild my admin machine anyway.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote