Endpoint Protection

Wanted to report something I found with the W32.SillyFDC worm that infects machines via thumb drives.  I had some 'frozen' lab machines which allowed me to do some testing.  I plugged in a thumb drive infected with the W32.SillyFDC worm, and then performed an anti-virus check against it using SAV 10.1.0.396 with 11/25/08 definition files (yesterday's update).  The virus check on the thumb drive came out clean--the client did not report any issues or infection.  However, when I manually searched the contents of the thumb drive, I found a file named 'autorun.inf' in the root of the drive...this file is referenced in the Symantec documentation for W32.SillyFDC as being the infection source.   My question is:  why didn't the SAV client clean this file off the thumb drive, if the documentation indicates that it's a known culprit for infection?

To complete the test I double-clicked the file.  The computer was immediately infected with the W32.SillyFDC virus.  The autorun.inf file that had been on the thumb drive also went away.  When I plugged the thumb drive into a different machine, it was still gone and that second machine did not get infected.

Using SAV to check for infections on thumb drives apparently does not always work, even when the source files for infection are referenced in the documentation.  I think that's scary.  

I have a similar issue with two corporate workstations.  We have been unable to remove a similar virus that is spread via memory sticks.  It infects the machines with autorun.inf and adds a randomly named batch file in the root directory of all drives, and also creates amvo.exe and kav320.dll in Windows/System32.  On top of this the virus automatically modifies registry values and prevents hidden files from being shown.

Symantec does not detect this threat at all - yet Spyware Doctor and MalwareBytes both detect the issue, although I am doubtful whether they both remove it completely.

The randomly named batch file seems to take the contents of amvo.exe so if amvo.exe is modified, the batch file is also modified correspondingly.  The only way to clean this is by modifying amvo and kav320 to gibberish, and then going into the command prompt, revealing autorun.inf and the batch file (the name of which can be determined by checking the contents of the autorun.inf file).  Once revealed (ie. attrib -a -r -h -s autorun.inf) the file can usually be deleted although it sometimes reappears - particularly if kav320.dll is still present.  This is all the information I have, and I'm getting quite frustrated because even after doing all this there are still some issues.  I hope Symantec comes up with a solution soon.