Issue – A fast spreading socially engineered threat is currently infecting many customers
Thursday Sep 9th, 2010, Symantec is actively tracking a new, malicious computer worm that spreads using a socially engineered email attack. The threat arrives in the form of a standard email that directs the recipient to click on a link embedded in the email. This link points to a malicious program file that is disguised as a PDF file, hosted on the internet. When the user clicks on this link, their computer downloads and launches the malicious file; this process installs the worm onto the victim’s computer. Initial analysis indicates that the worm disables many common AV products (but it does not successfully attack Norton/Symantec products). Once running on the computer, the threat attempts to email a copy of the original email to all email addresses found in the infected user’s email address book. The threat also attempts to spread from computer to computer over the local network (e.g., within the enterprise intranet) by copying itself to open drive shares found on other machines on the network. Once the threat copies itself to another machine, if a user even opens the folder that contains the threat on this new machine, this will launch the threat and cause it to spread further through both email and over shared drives.
Enterprise customers using a Rapid Release signature set dated Sep 9th 2009 rev 023 (or later) are already completely protected. This will stop all new infections. The definition will also be included in the next regular definition set which will be published at 16:00 PST (Sep 9th 2009)
Norton customers were also protected via pulse updates definitions at 10:15 PST (Sep 9th 2009).
The initial signature for this threat was named Trojan.Horse but has since been renamed to W32.Imsolk.A@mm.
Threat Details (What does the threat do?)
The worm uses email for its initial propagation (an email purporting to include a link to a requested document). Once inside corporations it can spread rapidly via shared drives and removal drives. It also attempts to spread via email by gathering email addresses from the compromised computer.
The email looks like the following:
Hello:
This is The Document I told you about, you can find it Here. <link to .SCR file>
Please check it and reply as soon as possible.
Cheers,
<name>
Once the link is followed it proceeds to download the actual malicious threat W32.Imsolk.B@mm which infects the compromised machine.
Protection Details (Am I protected?)
Yes, if you are running either a Symantec Corporate Anti-virus product (Symantec Anti-Virus or Symantec Endpoint Protection) or a Norton Anti-virus product (NIS, NAV or N360) and have current virus definitions as follows.
The initial variant (called “Trojan.Horse”) was discovered by Symantec at 09:00 PST on Sep 9th, 2010 and we released a new signature to detect and remediate known infections in the rapid release definitions set dated Sep 9th 2010 rev 023 (or later), released at about 10:15PST 2010.
Any Norton product configured to download pulse updates (the default setting) will also have received this new signature on or around 10:15PST 2010.
The initial signature (Trojan.Horse) has since been renamed to W32.Imsolk.B@mm. This name will appear in subsequent definition sets.
Full definitions with this new name will be released at 16:00 PST.
Best Practices
- Disable network sharing and/or disconnect infected computers from the local network and Internet.
Block outbound traffic to the domains/ IP addresses contained in the social engineered email to prevent users connecting to distribution sites to download.
Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives and disconnect the drives when not in required.
Once inside the boundary of an Enterprise, Windows file shares and removable thumb drives are a common infection vector for this type of threat and autorun.inf files make these especially prone to attack. Symantec recommends turning off autorun.inf where practical.
Technical Support already has the following knowledge base articles on the topic:
This is a generic write-up that includes a variety of techniques including directly editing the Windows key registry.
This includes specific instructions on how to use the policy feature of SEP to disable autorun.inf files.