Video Screencast Help

USB Flash Drive Shortcut Virus

Created: 30 Mar 2012 • Updated: 02 Apr 2012 | 8 comments
This issue has been solved. See solution.

Hi All,

10% of users in our network have recently been affected  by the USB Flash Drive shortcut virus (i.e. creates shortcut of folders and hides the folders... and in RECYCLER bin there is something like 0x2978F.exe created).

I do not know why then that the Symantec EP 11 does not try to stop this virus in USB and does not find it on the PC... but manually i can find it in on the affected PC plus the associated registry entry.

Symantec please assist... users are complaining about this antivirus now.

 

Comments 8 CommentsJump to latest comment

NRaj's picture

as a first step, disable autorun.

Preventing a virus from using the AutoRun feature to spread itself

http://www.symantec.com/business/support/index?page=content&id=TECH104447

 

Check the below articles on handling infections.

Best practices for troubleshooting viruses on a network

http://www.symantec.com/business/support/index?page=content&id=TECH122466

Security Best Practice Recommendations
http://service1.symantec.com/support/ent-security.nsf/docid/2009010808340848?Open&seg=ent

How to Use the Web Submission Process to Submit Suspicious Files

http://www.symantec.com/business/support/index?pag...

Security Response recommendations for Symantec Endpoint Protection settings
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010020308592948

 

Hope this helps

SOLUTION
Edwin_Mu's picture

I have already configured the application control to block autorun, and most computers are now deployed with the autorun feature disabled.

 

I have submitted the virus file to symantec... will wait for their response.

NRaj's picture

Symantec will come back with the definitions hopefully.

Edwin_Mu's picture

Symantec indeed responded saying it was a Trojan.gen virus... and recommended that i immediately download the Rapid Release Definition. Does it mean that the protection was updated into this download??? Of course I am downloading it now, and will monitor the notifications.

NRaj's picture

Does it mean that the protection was updated into this download???

 

Yes. Did they mention a sequence number? If so, you can download that sequence or a later one from the below link.

ftp://ftp.symantec.com/AVDEFS/symantec_antivirus_c...

These are rapid release definition and this will be added to the daily definition usually within 24 hrs.

Edwin_Mu's picture

After downloading and applying the definitions, i have hundreds of 'deleted' , 'blocked', cleaned logs. It seems the antivirus is finally working.. 

 

Thanks guys.

Mithun Sanghavi's picture

Hello,

In your case, it is advisable to follow few important steps:

1) Make sure all these machines are Patched with ALL Latest MS security patches and service packs.

2) Make sure the machines are installed with the Latest Symantec virus definitions.

3) Disable the Autorun Feature on the machine.

Later, incase of suspicious activity still happening, then follow the steps provided in the Article below:

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.