Endpoint Protection

Hi,

We are facing a virus attack that is hidding microsoft word documents. In fact the virus hides the document (.doc) and then creates a new executable (.exe) with the same name. As far most of users have the option "hide know extensions", most of then click on the .exe, spreading the virus.

Both SAV10 and SEP11 are identifying it as a "simple" trojan horse. SAV/SEP are able to block the .exe creation, but aren't able to avoid that the virus install itself on the users.

Does anyone know something about this virus/trojam? At least it's name?

I have a client completly updated (windows xp sp 3 with all patches) and SAV11 updated and I can see in my file server that my machine is trying to generate the .exe file.

I don't think that it is a simple trojan.

I need help in order to properly deal with it.

TIA,

rcrios

Turn off Autoplay on the file server.
Update virus definitions ( RapidRelease defs ) and run a full scan of the file server.
Also update the infected machines and run  full scan on them.

Also check

How to prevent a virus from spreading using the "AutoRun" feature

I just saw one today on one of my user's machines, WM.Cap.A and W97M.Class.A.Gen but both were deleted

Suggestions:
Use Group Policies in active directory and turn off hide file extensions.
Get a message out to your users what to look for.
Use SEP application control to block EXE creation in the folders they keep DOC files in.