Video Screencast Help

W32/Autorun.worm.aaeb-h

Created: 28 Nov 2012 | 7 comments

Given that McAfee has released an Extra Dat file and updated its Stinger to cover this latest threat, is there anything similar appeared in the Symantec world?  Or is there going to be?

 

Regards

 

Fal

Comments 7 CommentsJump to latest comment

.Brian's picture

See this thread, in particular the post by dmaltby

https://www-secure.symantec.com/connect/forums/doe...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Tico's picture

¿So that article applies to this new variant of the "W32/Autorun.worm.aaeb-h"? Or maybe we'll have to wait until Symantec releases an official removal tool...

Glenn Jacobs's picture

So far that i know W32/Autorun.worm.aaeb-h = W32.Changeup. but i could be wrong. Just lets hope its the same cause then we have new definitions for them.

Can some Symantec employee verify this?

Chetan Savade's picture

Hi,

Symantec detects this threat as a W32.changeup

W32.Changeup is a worm that spreads through removable and mapped drives. It also spreads by exploiting the Microsoft Windows Shortcut 'LNK' Files Automatic File Execution Vulnerability (BID 41732). The worm may also spread through certain file-sharing programs.

W32.Changeup writeup

http://www.symantec.com/security_response/writeup.jsp?docid=2009-081806-2906-99

Security Response Blog Article – A Malicious Gift

http://www.symantec.com/connect/blogs/w32changeup-malicious-gift-keeps-giving

W32.Changeup Threat Profile (Older, historical reference)

http://www.symantec.com/connect/blogs/w32changeup-threat-profile

W32.Changeup VB Polymorphic Code Uncovered (Older, historical reference)

http://www.symantec.com/connect/blogs/w32changeup-visual-basic-polymorphic-code-uncovered

 

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

JohnDW's picture

Symantec does not detect this threat, at least not as of the Nov 29 r9 patterns.

One of our clients (running SEP 11) was infected with this today, and a custom SEP scan did not identify the (obvious) malware files as risks.

A sample file submitted to virustotal.com was identified by only 7 engines. This included McAfee, which identified it as W32/Autorun.worm.aaeh (thus confirming the source), but not Symantec.

Chetan Savade's picture

Hi,

We have seen couple of new variant of this threat.

If you feel there is any undetected new threat then please submit it to Symantec.

https://submit.symantec.com/websubmit/basic.cgi

or

https://submit.symantec.com/websubmit/essentials.cgi

Security Best Practices for Protecting a Business Environment from Common Threats

http://www.symantec.com/docs/TECH105236

Preventing viruses using "autorun.inf" from spreading with "Application and Device Control" policies in Symantec Endpoint Protection (SEP) 11.x

 http://www.symantec.com/docs/TECH104909

 

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Mick2009's picture

A new blog post that will be of interest:

https://www-secure.symantec.com/connect/blogs/w32changeup-keeps-giving

With thanks and best regards,

Mick