Video Screencast Help

.lnk virus

Created: 14 Jun 2013 • Updated: 26 Jun 2013 | 9 comments
This issue has been solved. See solution.

i have found some virus in usb which is not clean with symantec

Shortcut with .lnk extension. Any answer to clean?

Comments 9 CommentsJump to latest comment

pete_4u2002's picture

did you scan the USB?

can you submit the file?

lnk is a shortcut files, have you applied Microsoft patches?

consoleadmin's picture

Scan the usb device.

Check the patches are update.

Submit the virus to symantec security

http://www.symantec.com/security_response/submitsamples.jsp

Thanks.

SOLUTION
mehra007's picture

scan the pen drive but no detection of virus

patches and symantec is already updated.

i have not submit the virus.

Mithun Sanghavi's picture

Hello,

W32.Changeup.C  is a worm that spreads through removable and shared drives by exploiting the Microsoft Windows Shortcut 'LNK' Files Automatic File Execution Vulnerability (BID 41732).

W32.Stuxnet!lnk is a detection for .lnk files created by the W32.Stuxnet worm.

Bloodhound.Exploit.346 is a heuristic detection for files attempting to exploit the Microsoft Windows Shortcut 'LNK' Files Automatic File Execution Vulnerability (BID 41732).

New Trojan.Shylock wave

https://www-secure.symantec.com/connect/blogs/new-trojanshylock-wave

The Shylock “LNK” Awakening

https://www-secure.symantec.com/connect/blogs/shylock-lnk-awakening

Could you please zip each of the files and submit the zip files (without password) to the Symantec Security Response Team on : 

https://submit.symantec.com/websubmit/essential.cgi

We also offer a self-service site to analyze files, at http://www.threatexpert.com, which can give you more information on the files you submit to it.

Check these Articles:

What to do when you suspect that a Symantec AntiVirus product is not detecting viruses

http://www.symantec.com/docs/TECH99222

Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

https://www-secure.symantec.com/connect/articles/using-symantec-help-symhelp-tool-how-do-we-collect-suspicious-files-and-submit-same-symante

So, as we see these above Threats appears when there are open vulnerabilities on the machines.

In your case, I would suggest the below Plan of Action:

1) Make sure ALL Computers are installed with Symantec EP with latest / updated with virus defintions.

2) Install ALL Latest Microsoft Secuirty Patches / Sevice Packs on ALL machines.

3) Make sure ALL the client machines are using the Latest Vendor Patches installed.

4) Disable Auto play with GPO

http://support.microsoft.com/kb/953252

5) Disable the System Restore with GPO

http://support.microsoft.com/kb/283073

6) Disable Scheduled Tasks with GPO

http://support.microsoft.com/kb/310208

7) Incase of any shared / mapped drives present, make sure these are password protected.

8) Scan ALL the machines...

Here are some excellent suggestions on how to keep your computers, their users and data safe:

http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

mehra007's picture

I submit the virus to symantec wait for the result.

How to unhide the file which hide by virus.

technical_specialist's picture

Hello,

Use attrib command to unhide the files and folder

attrib command syntax is: attrib [+r|-r] [+a|-a] [+h|-h] [+s|-s] [d:][path]filename [/s] [/d] [/l]

 

You can use Attrib -h -r -a -s Path(D:\*.*) /s /d /i

KalpeshParmar's picture

Hi,

Windows Patches should be upto date,

Antivirus software definition should be up to date

after all of above compliance your problem not resolved then suggest you to submit virus sample to Symantec Team. Link is provided below

http://www.symantec.com/security_response/submitsamples.jsp

consoleadmin's picture

Symantec will analysis and share you the update with rapid defintion path. You can install the defintion on SEP Server and clean the virus.

Thanks.