Video Screencast Help

Flash Drive Shortcut Virus

Created: 07 Feb 2013 | 13 comments
Jordanco's picture


The problem is the so called "shortcut" virus whitch "transformes" all of the content in to a shortcut that cant be opened,and you must show hidden folders,or you must change the attributes and so on.................. The biggest problem is that SEP has no idea about the virus.I have this problem on 30 + computers with Sep 12.1.2, (with all components installed) Windows XP SP3 (patched) .

So far have folowed the folowing suggestions from a previous post

"To Harden your Network use these customized policies


LNK files (stuxnet and other worms)


+ Used power eraser that did not solved the problem

With all the tweaking of the app & dev policy i achived to stop the virus from spreading,the executebles from the infected USB are blocked,the content can be copied to the desktop and the USB can be formated and aftwerwards its clean.This is no problem for me but for someone in a location without an IT person that handles 30-40 USB`s per day from diferent customers its a problem.I have googled and saddly havent found any software that solves this problem.I am pretty sure that SEP 12.1.2 does not even reports that a virus is found.I hope that there is some standaolne tool from Symantec

Please Advise

Comments 13 CommentsJump to latest comment

Ashish-Sharma's picture

In your case, it is advisable to follow few important steps:

1) Make sure all these machines are Patched with ALL Latest MS security patches and service packs.

2) Make sure the machines are installed with the Latest Symantec virus definitions.

3) Disable the Autorun Feature on the machine.

Preventing a virus from using the AutoRun feature to spread itself

Later, incase of suspicious activity still happening, then follow the steps provided in the Article below:

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

Check the below articles on handling infections.

Best practices for troubleshooting viruses on a network

Security Best Practice Recommendations

How to Use the Web Submission Process to Submit Suspicious Files

Security Response recommendations for Symantec Endpoint Protection settings

Check this thread

Thanks In Advance

Ashish Sharma

Vikram Kumar-SAV to SEP's picture

Connecting Flash Drives which has been used in unprotected machines is always a problem..

You can submit the samples and it will get detected.

But when in your organization there are people who handle 30-40 USB devices per day then there has to be a reason or business need for that..

And i dont think it would be copying or running .exe files or .inf or .lnk files.

So atleast for that department or for all..block read of .lnk,autorun.inf and .exe from USB.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search use it.

Jordanco's picture

Hi Vikram

For that department the policy is set to block read of .lnk,autorunn,exe files and thats why they can work "normally" but still the manual work remains,to copy the files,format the usb..........There is a big business need for handling that amount of USB drives for that department,otherwise i would blocked all usb flash drives with device controll.I hope that someone will come up with a tool to fix this issue.

Chetan Savade's picture


As of now there is not any tool against this threat.

Is it getting detected as a Trogan.gen or Trogan.gen2? SEP is not taking any action against it? It might happen that due to new variant of threat SEP is not taking any action against it. Check the risk log for more details if possible attach to this thread.

Try to find out the original location where these .exe files are routing. Go to the properties of the file & try to find out the location.

Also run Symantec Support tool (SST) on the machine while external drive is connected. Make sure external drive letter is added in SST.

SST will tell you about suspicious files, submit those suspicious files to the Symantec. You will receive a tracking number within few minutes after the submission.

Please share tracking id with me & I will try to check the status about it.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Vikram Kumar-SAV to SEP's picture

If SEP or NPE isn't catching it..then there is no tool.

SEP with latest defs should catch it. If you are using SEP 12 on those machines increase SONAR level and use insight as well.

The only thing you can do over here is have a proactive approach which you are already using.

IF you are using SNAC there is a policy where you can scan the USB sticks as they are plugged in.

But again if SEP is not detecting it then the best way is to submit the file.

Trust me its just one time pain..if you dont submit the file you will see same infection everyday and there will be manual work everyday.

Once defintions arrive it will automatically get removed.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search use it.

SMLatCST's picture

I'd be curious to find out how this is avoiding detection as well.  I've had reports of a similar issue, but only from users running SEP11 so far.

Can I ask the Symantec guys to post a link to the threat write-up if/when this is resolved?

I'm a little concerned that the threat managed to make all these changes when the OP has all components installed.

Jordanco's picture

Update on the situation.

3 computers left that are infecting every USB that is pluged.One of the admins went on-site and scaned one of the computers with the bootable Sep Recovery Tool v2 providing the latest definitions on a usb.It has reported back that no threat was found so the customer used another AV and found the threats bellow.Once these threats were cleaned that particular pc is nof infecting USB drives.

The reported threats are:


HEUR: Trojan.Win32.Generic


Chetan Savade's picture


It's very necessary to submit the files to the Symantec response team because even after running SERT issue still persist.

Please submit the suspicious files to the Symantec. SST might take some time to collect the logs however submission process is very easy and fast.

Once submitted files to the Symantec please share the tracking id with us & we will try to take a follow up on the same.

But until and unless we will receive the valid samples we can't move further.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Vikram Kumar-SAV to SEP's picture

If you could submit those files next time you wouldnt have to do it manually again, or if its there on any other machine it will automatically be picked up

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search use it.

Jordanco's picture


Files were subbmited and for two of them its confirmed to be viruses.Later that day i have downloaded rapid release definitions and "desktop.ini" and "Thumbs.db" are recognized by SEP as viruses (previously were not).I have opened a case with support to continue solving this issue.

Thanks for the help

Files Submitted





Not a threat



Not a threat






Not a threat



Trojan Horse

cus000's picture

Looks like a very new variant since not many vendor being able to detect it...

i guess i found your submission to virustotal lol

I didn't found any paritcular information about this threat but the Microsoft folks are recommending to block the autorun.inf since its usually come from removable drive...

GeoGeo's picture

Has there been any update on this case quite interested in the outcome of this have seen a few instances.

Please review ideas and vote there could be something useful :)

Jordanco's picture

Log from Process Monitor from one Windows 7 computer was uploaded to Symantec and that computer does not infect USB`s any more.I havent checked other Win 7 computers (no one has complaiend however)

However there is a number of Windows XP SP3 computers that still infects USB`s.I have uploaded logs drom one XP machine and waiting for a sollution on that as well.I hope to close this case on Monday.