Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Autorun.inf Virus Remains Undetected

Created: 25 Jan 2009 • Updated: 21 May 2010 | 15 comments

Why in the world Symantec EndPoint Protection 11.x does not detect AUTORUN.INF virus with most up-to-date virus definition.All my drives open in new window with KLIF.SYS error.I am not talking about autorun.inf file which automatically starts an Application in CD\DVD-ROM.

I can see SEP scan the file without raising any alert and all my drives open in new WINDOW!!!!!

 

any solution.?

 

 

 

 

 

Comments 15 CommentsJump to latest comment

S1l3nc3 pl3as3's picture

That's tremendously growing technology.

 

Cant blame Symantec for it. All the vendors are battling against autorun.

 

Your best bet would be to submit the file at https://submit.symantec.com/websubmit/platinum.cgi or https://submit.symantec.com/websubmit/gold.cgi , depending upon your contract

 

cable mite's picture

If only the autorun.inf is submitted without the related binary that it was calling there is not much that support can do.

in this case since he mentions there is an error of a sys file, I suspect the actual virus is dead and only the autorun.inf remains. In that case we would probably need to edit mountpoints2 in the registry and delete the inf in root of each drive.

Painful if you have 1000s of PCs.

------------------------------------------------------------
MR99 will fix it all.

ShadowsPapa's picture

Best solution - disable autorun, period.

You don't REALLY need it.

It's a convenience, and mainly for the bad guys.

 

Our computers won't launch anything automatically from any removable drives, period. We're done with that garbage.

S H R I Q U E's picture

I deleted files in registry hives MOUNTPOINT2. they all had extension of CMD with file of uvsqfgwd .

When i logged off computer and logged on back again, it reappeared in registry and all drives are again opening in new window as before.  i have tried ESET, McAfee, SEP, Kaspersky but ESET response has been quite better than other vendors. 

Most of time i adopt following technique to get rid of this. I enter in each drive the  types attrib -s -h -r. it lists autorun.inf file  and deletes autorun.inf(size roughly 104KB) file. Then i close EXPLORER.EXE process and restarts EXPLORER.EXE process again. Then in each drive it lists all infected files with CMD extension. i delete them. This strategy has success rate of 75% much better than any other AV solution.

 

regards

 

S1l3nc3 pl3as3's picture

Believe me. You could have had 100% rate by now(probably long back) had you submitted a sample.

 

S H R I Q U E's picture

Well.today i submitted autorun.inf file and i got following response from Symantec.com

 

"

Developer notes:

 autorun.inf This is the malformed autorun.inf file which is used by malicious program. You should delete this. "

 

I know that i need to delete it but what about its subsequent appearance.

 

 

S1l3nc3 pl3as3's picture

Zip and submit the executable that's being called from autorun.inf. That should be enough. In the description mention whatever is appropriate.

 

brav's picture

Try this :

 

Go Into Device Manager | View | Show Hidden Devices

 

Look for non plug and play drivers.

 

search for any non-familiar drivers and see what process they use by looking at the properties.

 

It's most likely that the virus has installed itself as a service on the machine that initiates at startup and re-creates the files.

 

It will most likely be a file in C:\Windows\System32\drivers\

 

I do have problems with the Antivirus Detection and removal features of SEP ... there are several threats listed with removal instructions on symantecs website , yet, SEP either fails to remove or fails to detect ..... other vendors software is just as hit and miss. Although Kaspersky's seems the best I've seen so far

m00

Citlali's picture

Autorun.inf files are not viruses.  They can call other files that are malicious, but they can just as easily be calling a legitimate program.  There's no way an antivirus program would be able to tell the difference since autorun is just a text file.  It could simply say something like shellexecute=setup.exe.  How would an antivirus scanner be able to tell what that setup is without scanning the actual executable? 

David-Z's picture

That is correct. We will almost never detect a Autorun.inf file since it is essentially a text file. We would however be interested in whatever autorun.inf is pointing at.

 

Here is a document that might shed some light as well:


Title: 'How to prevent a virus from spreading using the "AutoRun" feature'
Document ID: 2008032111570648
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008032111570648?Open&seg=ent

 

Hope that helps!

Message Edited by David-Z on 01-27-2009 12:33 PM

David Z.

Senior Principal Technical Support Engineer, Symantec Corporation

Enterprise Security, Mobility and Management

thai's picture

Autorun.inf is not a virus and is a malicious. there is alternate solution to block repeat attack from the same. delete it manually from the drive where it attacked. Then create one blank folder named autorun.inf . . this will stop further attack.

S1l3nc3 pl3as3's picture

Thai just let the secret out.

 

A file cannot override a folder with the same name.

 

This is a very good temporary workaround that we had to implement through scripts for a client who was once affected with sillyfdc.

 

Jeremy Dundon's picture

one more thing for the folder autorun.inf...

You need to put a file in it, otherwise a smart virus writer will still find a way to delete it. 

sandra.g's picture

Even better, make the file read-only :)

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!