W32/SillyFDC-D virus infecting pen drives

[selu]

W32/SillyFDC-D virus infecting pen drives and computers

Sophos detects the virus and quarantines it after a full system scan, but has no option to delete it.

This virus seems to be spreading via autorun.inf on any pen drive plugged into any infected computer uninfected computers instantly get infected.

After a full system scan from within windows the virus is then put into quarantine but remains on the pen drive ready to infect the next unfortunate laptop or computer it is plugged into to.

How do I check all the computers on the network for this worm virus when the system is running as a peer to peer network with no server to run enterprise console on?

Without having to manually fix 80+ possibly infected computers! I have looked on the Sophos website the fix looks like it might take 30-60mins per machine.
What should I do please help.

[contink]

Wouldn't the registry fix to turn off auto-run have the desired effect?

Not sure how you do that on a pendrive but that might give you an idea for a possible solution.

[contink]

Found what I was looking for...

Technet :: Disables the Autoplay feature on all drives of the type specified

[ChrisP]

Disabling autoplay is not a fix sadly.

A more robust solution is here: One quick trick prevents AutoRun attacks

[selu]

Thanks for the quick replys I will be using the reg fix but what do I do now with the 80 that may be already infected when sophos will not remove it itself why did it not stop it itself on the way in ? Have I missed something or do you need enterprise to set no access to viruses instead of just letting them in.

[Pete10141748]

We had the same thing happen here selu. No idea why sophos didnt catch it (it does now), but it casued total havok here for a few days!

We eventually got rid of it by going to each infected computer/laptop (including staff and pupil laptops too), and doing the following;


Open a cmd prompt, and type;
del C:\autorun.* /f /a /s /q

this removed the file and gave access back to the infected drive.

Next, open regedit and go to
HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run

look for any entries marked with "avpo.exe" and delete them.

lastly, do a registry search for "netde1ect.com" (notel thats a ONE, NOT a T!) and delete any entries you find.

1 machine clean. 79 to go We had about 120 to do here, took the best part of 3 days.

Oh, and if I were you, I'd make a very stern warning not to use USB memory sticks until you have finished every machine!

Hope that helps!

Pete


oh, almolst forgot, you'll need to change the del C:\ to whatever drive letter a usb stick is given to clean the sticks as well!

[selu]

Thanks this is the answer I was expecting loads of work.
Will post results. No more infections via this door since I presume?

[webman]

Fantastic.

Oh, it's this thread

[selu]

Thanks Pete this is the answer I was expecting loads of work.
Will post results. No more infections via this door since I presume?

[selu]

Sorry can this be deleted?

[FN-GM]

Was this suposed to be a PM or something?

[selu]

No i managed to create a new thread by accident. I have corrected it but now need a moderator to remove this as its not relevent to anything .
Steve

[FN-GM]

Oh right easy mistake to make they will probably lock the topic instead.

Z

[ChrisH]

Post merged let the confusion cease!

[selu]

Batch file
***********************
del C:\autorun.* /f /a /s /q
delrun.reg
fix.reg
del k:\autorun.* /f /a /s /q
***********************

Fix reg file
-----------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

--------------------------------------------------------------------------------------


Delrun.reg file
----------------------------------------------------------
Windows Registry Editor Version 5.00

-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\

--------------------------------------------------------------------------------

All works but delreg file wont delete the run key what am I doing wrong ?
I recon this might fix it via a login script if i can get it to delete the whole run folder