Something is spreading round on our mapped/removable drives. Basically what it seems to do is shove itself in the root of mapped/removable drives and setup an autorun so when you double click it minesweeper or notepad comes up. The file names are usually gibberish and are hidden system files.
Sophos doesnt seem to pick it up in its current state, which is troubling. It doesnt seem to do anything other then spread itself and setup the autoruns in the mapped/removable drive at the moment.
Anyone seen this?
Look like it double posts as well.
I'll have a looksie around.
Have you got a spare box where you can place one of the infected and run NOD32 / ESET on it. Malbytes AntiMalware is also worth running either before or afterwards.
Yeah the virus is on a virtual machine at the moment and being tested :D
You could submit it to VirusTotal and see if anything picks it up.
VirusTotal - Free Online Virus and Malware Scan
If sophos isn't picking it up, and you've checked your sophos installation is up to date, submit it to them too. They usually get an IDE update out fairly quickly in response.
Sample submission form - Sophos
Ok Thanks for all the input guys.. it turns out that Sophos did pick up the virus and cleaned it but thats all it did. It left the files behind so it was still doing the autorun thing but not propagating. I knew i seen a report about it before..
We've had similar floating around our system for months now - our lack of anti-virus software makes eradicating it somewhat impossible (fortunately, our lack of a real network also stops it spreading that much... It's a feature, not a bug...). My latest plan is to make our reimaging system also do anti-virus with ClamAV - boot the machines into Linux, scan the NTFS partition, reboot into Windows. I plan to write a script to remove the autorun.inf cruft.
Originally Posted by apeo