Video Screencast Help

Flash Drive Shortcut Virus

Created: 07 Feb 2013 | 13 comments
Jordanco's picture

HI

The problem is the so called "shortcut" virus whitch "transformes" all of the content in to a shortcut that cant be opened,and you must show hidden folders,or you must change the attributes and so on.................. The biggest problem is that SEP has no idea about the virus.I have this problem on 30 + computers with Sep 12.1.2, (with all components installed) Windows XP SP3 (patched) .

So far have folowed the folowing suggestions from a previous post

"To Harden your Network use these customized policies

Autorun.inf

http://www.symantec.com/docs/TECH104909

LNK files (stuxnet and other worms)

http://www.symantec.com/business/security_response/securityupdates/list.jsp?fid=adc

Trojan

http://www.symantec.com/business/support/index?page=content&id=TECH95124&locale=en_US"

+ Used power eraser that did not solved the problem

 

With all the tweaking of the app & dev policy i achived to stop the virus from spreading,the executebles from the infected USB are blocked,the content can be copied to the desktop and the USB can be formated and aftwerwards its clean.This is no problem for me but for someone in a location without an IT person that handles 30-40 USB`s per day from diferent customers its a problem.I have googled and saddly havent found any software that solves this problem.I am pretty sure that SEP 12.1.2 does not even reports that a virus is found.I hope that there is some standaolne tool from Symantec

 

Please Advise

 

Comments 13 CommentsJump to latest comment

Ashish-Sharma's picture

In your case, it is advisable to follow few important steps:

1) Make sure all these machines are Patched with ALL Latest MS security patches and service packs.

2) Make sure the machines are installed with the Latest Symantec virus definitions.

3) Disable the Autorun Feature on the machine.

Preventing a virus from using the AutoRun feature to spread itself

http://www.symantec.com/business/support/index?page=content&id=TECH104447

Later, incase of suspicious activity still happening, then follow the steps provided in the Article below:

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

Check the below articles on handling infections.

Best practices for troubleshooting viruses on a network 

http://www.symantec.com/docs/TECH122466

Security Best Practice Recommendations 

http://www.symantec.com/docs/TECH91705

How to Use the Web Submission Process to Submit Suspicious Files

http://www.symantec.com/docs/TECH102419

Security Response recommendations for Symantec Endpoint Protection settings 

http://www.symantec.com/docs/TECH122943

 

Check this thread

https://www-secure.symantec.com/connect/forums/usb...

Thanks In Advance

Ashish Sharma

 

 

Vikram Kumar-SAV to SEP's picture

Connecting Flash Drives which has been used in unprotected machines is always a problem..

You can submit the samples and it will get detected.

But when in your organization there are people who handle 30-40 USB devices per day then there has to be a reason or business need for that..

And i dont think it would be copying or running .exe files or .inf or .lnk files.

So atleast for that department or for all..block read of .lnk,autorun.inf and .exe from USB.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Jordanco's picture

Hi Vikram

 

For that department the policy is set to block read of .lnk,autorunn,exe files and thats why they can work "normally" but still the manual work remains,to copy the files,format the usb..........There is a big business need for handling that amount of USB drives for that department,otherwise i would blocked all usb flash drives with device controll.I hope that someone will come up with a tool to fix this issue.

Chetan Savade's picture

Hi,

As of now there is not any tool against this threat.

Is it getting detected as a Trogan.gen or Trogan.gen2? SEP is not taking any action against it? It might happen that due to new variant of threat SEP is not taking any action against it. Check the risk log for more details if possible attach to this thread.

Try to find out the original location where these .exe files are routing. Go to the properties of the file & try to find out the location.

Also run Symantec Support tool (SST) on the machine while external drive is connected. Make sure external drive letter is added in SST.

SST will tell you about suspicious files, submit those suspicious files to the Symantec. You will receive a tracking number within few minutes after the submission.

Please share tracking id with me & I will try to check the status about it.

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Vikram Kumar-SAV to SEP's picture

If SEP or NPE isn't catching it..then there is no tool.

SEP with latest defs should catch it. If you are using SEP 12 on those machines increase SONAR level and use insight as well.

The only thing you can do over here is have a proactive approach which you are already using.

IF you are using SNAC there is a policy where you can scan the USB sticks as they are plugged in.

But again if SEP is not detecting it then the best way is to submit the file.

Trust me its just one time pain..if you dont submit the file you will see same infection everyday and there will be manual work everyday.

Once defintions arrive it will automatically get removed.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

SMLatCST's picture

I'd be curious to find out how this is avoiding detection as well.  I've had reports of a similar issue, but only from users running SEP11 so far.

Can I ask the Symantec guys to post a link to the threat write-up if/when this is resolved?

I'm a little concerned that the threat managed to make all these changes when the OP has all components installed.

Jordanco's picture

Update on the situation.

3 computers left that are infecting every USB that is pluged.One of the admins went on-site and scaned one of the computers with the bootable Sep Recovery Tool v2 providing the latest definitions on a usb.It has reported back that no threat was found so the customer used another AV and found the threats bellow.Once these threats were cleaned that particular pc is nof infecting USB drives.

 

The reported threats are:

Trojan-Downloader.Win32.Andromeda.gse

HEUR: Trojan.Win32.Generic

Trojan.JS.Fraud.fa

 

 

Chetan Savade's picture

Hi,

It's very necessary to submit the files to the Symantec response team because even after running SERT issue still persist.

Please submit the suspicious files to the Symantec. SST might take some time to collect the logs however submission process is very easy and fast.

Once submitted files to the Symantec please share the tracking id with us & we will try to take a follow up on the same.

But until and unless we will receive the valid samples we can't move further.

 

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Vikram Kumar-SAV to SEP's picture

If you could submit those files next time you wouldnt have to do it manually again, or if its there on any other machine it will automatically be picked up

 

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Jordanco's picture

Hi

Files were subbmited and for two of them its confirmed to be viruses.Later that day i have downloaded rapid release definitions and "desktop.ini" and "Thumbs.db" are recognized by SEP as viruses (previously were not).I have opened a case with support to continue solving this issue.

 

Thanks for the help

Files Submitted

Filename

MD5

Determination

virus.zip

3894248b8b375267f5d6fe15469e698c

Not a threat

~$WWEPMOO.FAT32

abe13a58ab7dbb4936c696d52b7b5837

Not a threat

desktop.ini

f885a1e9cebeb4c9139af641a31adcb8

Downloader

NIKOLA(2GB).lnk

9f3dd7a45b95aa96570a04bfb9ad67b3

Not a threat

Thumbs.db

092b9f8fdb7fbbbd6672ea0796c6f01e

Trojan Horse

 

cus000's picture

Looks like a very new variant since not many vendor being able to detect it...

i guess i found your submission to virustotal lol

https://www.virustotal.com/file/1e4ab059e0920b48ae...

https://www.virustotal.com/file/a7b59fc82da391ef02...

 

I didn't found any paritcular information about this threat but the Microsoft folks are recommending to block the autorun.inf since its usually come from removable drive...

 

http://www.microsoft.com/security/portal/threat/en...

GeoGeo's picture

Has there been any update on this case quite interested in the outcome of this have seen a few instances.

Please review ideas and vote there could be something useful :)

https://www-secure.symantec.com/connect/security/ideas

 

Jordanco's picture

Log from Process Monitor from one Windows 7 computer was uploaded to Symantec and that computer does not infect USB`s any more.I havent checked other Win 7 computers (no one has complaiend however)

However there is a number of Windows XP SP3 computers that still infects USB`s.I have uploaded logs drom one XP machine and waiting for a sollution on that as well.I hope to close this case on Monday.