Wanted to report something I found with the W32.SillyFDC worm that infects machines via thumb drives. I had some 'frozen' lab machines which allowed me to do some testing. I plugged in a thumb drive infected with the W32.SillyFDC worm, and then performed an anti-virus check against it using SAV 10.1.0.396 with 11/25/08 definition files (yesterday's update). The virus check on the thumb drive came out clean--the client did not report any issues or infection. However, when I manually searched the contents of the thumb drive, I found a file named 'autorun.inf' in the root of the drive...this file is referenced in the Symantec documentation for W32.SillyFDC as being the infection source. My question is: why didn't the SAV client clean this file off the thumb drive, if the documentation indicates that it's a known culprit for infection?
To complete the test I double-clicked the file. The computer was immediately infected with the W32.SillyFDC virus. The autorun.inf file that had been on the thumb drive also went away. When I plugged the thumb drive into a different machine, it was still gone and that second machine did not get infected.
Using SAV to check for infections on thumb drives apparently does not always work, even when the source files for infection are referenced in the documentation. I think that's scary.