Endpoint Protection

 View Only
Expand all | Collapse all

Flash Drive Shortcut Virus

  • 1.  Flash Drive Shortcut Virus

    Posted Feb 07, 2013 04:34 AM

    HI

    The problem is the so called "shortcut" virus whitch "transformes" all of the content in to a shortcut that cant be opened,and you must show hidden folders,or you must change the attributes and so on.................. The biggest problem is that SEP has no idea about the virus.I have this problem on 30 + computers with Sep 12.1.2, (with all components installed) Windows XP SP3 (patched) .

    So far have folowed the folowing suggestions from a previous post

    "To Harden your Network use these customized policies

    Autorun.inf

    http://www.symantec.com/docs/TECH104909

    LNK files (stuxnet and other worms)

    http://www.symantec.com/business/security_response/securityupdates/list.jsp?fid=adc

    Trojan

    http://www.symantec.com/business/support/index?page=content&id=TECH95124&locale=en_US"

    + Used power eraser that did not solved the problem

     

    With all the tweaking of the app & dev policy i achived to stop the virus from spreading,the executebles from the infected USB are blocked,the content can be copied to the desktop and the USB can be formated and aftwerwards its clean.This is no problem for me but for someone in a location without an IT person that handles 30-40 USB`s per day from diferent customers its a problem.I have googled and saddly havent found any software that solves this problem.I am pretty sure that SEP 12.1.2 does not even reports that a virus is found.I hope that there is some standaolne tool from Symantec

     

    Please Advise

     



  • 2.  RE: Flash Drive Shortcut Virus

    Posted Feb 07, 2013 04:44 AM

    In your case, it is advisable to follow few important steps:

    1) Make sure all these machines are Patched with ALL Latest MS security patches and service packs.

    2) Make sure the machines are installed with the Latest Symantec virus definitions.

    3) Disable the Autorun Feature on the machine.

    Preventing a virus from using the AutoRun feature to spread itself

    http://www.symantec.com/business/support/index?page=content&id=TECH104447

    Later, incase of suspicious activity still happening, then follow the steps provided in the Article below:

    Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

    Check the below articles on handling infections.

    Best practices for troubleshooting viruses on a network 

    http://www.symantec.com/docs/TECH122466

    Security Best Practice Recommendations 

    http://www.symantec.com/docs/TECH91705

    How to Use the Web Submission Process to Submit Suspicious Files

    http://www.symantec.com/docs/TECH102419

    Security Response recommendations for Symantec Endpoint Protection settings 

    http://www.symantec.com/docs/TECH122943

     

    Check this thread

    https://www-secure.symantec.com/connect/forums/usb-flash-drive-shortcut-virus



  • 3.  RE: Flash Drive Shortcut Virus

    Posted Feb 07, 2013 05:55 AM

    Connecting Flash Drives which has been used in unprotected machines is always a problem..

    You can submit the samples and it will get detected.

    But when in your organization there are people who handle 30-40 USB devices per day then there has to be a reason or business need for that..

    And i dont think it would be copying or running .exe files or .inf or .lnk files.

    So atleast for that department or for all..block read of .lnk,autorun.inf and .exe from USB.



  • 4.  RE: Flash Drive Shortcut Virus

    Posted Feb 07, 2013 06:57 AM

    Hi Vikram

     

    For that department the policy is set to block read of .lnk,autorunn,exe files and thats why they can work "normally" but still the manual work remains,to copy the files,format the usb..........There is a big business need for handling that amount of USB drives for that department,otherwise i would blocked all usb flash drives with device controll.I hope that someone will come up with a tool to fix this issue.



  • 5.  RE: Flash Drive Shortcut Virus

    Broadcom Employee
    Posted Feb 07, 2013 09:47 AM

    Hi,

    As of now there is not any tool against this threat.

    Is it getting detected as a Trogan.gen or Trogan.gen2? SEP is not taking any action against it? It might happen that due to new variant of threat SEP is not taking any action against it. Check the risk log for more details if possible attach to this thread.

    Try to find out the original location where these .exe files are routing. Go to the properties of the file & try to find out the location.

    Also run Symantec Support tool (SST) on the machine while external drive is connected. Make sure external drive letter is added in SST.

    SST will tell you about suspicious files, submit those suspicious files to the Symantec. You will receive a tracking number within few minutes after the submission.

    Please share tracking id with me & I will try to check the status about it.



  • 6.  RE: Flash Drive Shortcut Virus

    Posted Feb 07, 2013 01:22 PM

    If SEP or NPE isn't catching it..then there is no tool.

    SEP with latest defs should catch it. If you are using SEP 12 on those machines increase SONAR level and use insight as well.

    The only thing you can do over here is have a proactive approach which you are already using.

    IF you are using SNAC there is a policy where you can scan the USB sticks as they are plugged in.

    But again if SEP is not detecting it then the best way is to submit the file.

    Trust me its just one time pain..if you dont submit the file you will see same infection everyday and there will be manual work everyday.

    Once defintions arrive it will automatically get removed.



  • 7.  RE: Flash Drive Shortcut Virus

    Posted Feb 08, 2013 04:00 AM

    I'd be curious to find out how this is avoiding detection as well.  I've had reports of a similar issue, but only from users running SEP11 so far.

    Can I ask the Symantec guys to post a link to the threat write-up if/when this is resolved?

    I'm a little concerned that the threat managed to make all these changes when the OP has all components installed.



  • 8.  RE: Flash Drive Shortcut Virus

    Posted Feb 08, 2013 06:41 AM

    Update on the situation.

    3 computers left that are infecting every USB that is pluged.One of the admins went on-site and scaned one of the computers with the bootable Sep Recovery Tool v2 providing the latest definitions on a usb.It has reported back that no threat was found so the customer used another AV and found the threats bellow.Once these threats were cleaned that particular pc is nof infecting USB drives.

     

    The reported threats are:

    Trojan-Downloader.Win32.Andromeda.gse

    HEUR: Trojan.Win32.Generic

    Trojan.JS.Fraud.fa

     

     



  • 9.  RE: Flash Drive Shortcut Virus

    Posted Feb 08, 2013 06:46 AM

    If you could submit those files next time you wouldnt have to do it manually again, or if its there on any other machine it will automatically be picked up

     



  • 10.  RE: Flash Drive Shortcut Virus

    Broadcom Employee
    Posted Feb 08, 2013 07:50 AM

    Hi,

    It's very necessary to submit the files to the Symantec response team because even after running SERT issue still persist.

    Please submit the suspicious files to the Symantec. SST might take some time to collect the logs however submission process is very easy and fast.

    Once submitted files to the Symantec please share the tracking id with us & we will try to take a follow up on the same.

    But until and unless we will receive the valid samples we can't move further.

     



  • 11.  RE: Flash Drive Shortcut Virus

    Posted Feb 12, 2013 09:05 AM

    Hi

    Files were subbmited and for two of them its confirmed to be viruses.Later that day i have downloaded rapid release definitions and "desktop.ini" and "Thumbs.db" are recognized by SEP as viruses (previously were not).I have opened a case with support to continue solving this issue.

     

    Thanks for the help

    Files Submitted

    Filename

    MD5

    Determination

    virus.zip

    3894248b8b375267f5d6fe15469e698c

    Not a threat

    ~$WWEPMOO.FAT32

    abe13a58ab7dbb4936c696d52b7b5837

    Not a threat

    desktop.ini

    f885a1e9cebeb4c9139af641a31adcb8

    Downloader

    NIKOLA(2GB).lnk

    9f3dd7a45b95aa96570a04bfb9ad67b3

    Not a threat

    Thumbs.db

    092b9f8fdb7fbbbd6672ea0796c6f01e

    Trojan Horse

     



  • 12.  RE: Flash Drive Shortcut Virus

    Posted Feb 13, 2013 03:45 AM

    Looks like a very new variant since not many vendor being able to detect it...

    i guess i found your submission to virustotal lol

    https://www.virustotal.com/file/1e4ab059e0920b48ae51ac05db793366e2560755d2c80b4c816f14c3c43040f5/analysis/

    https://www.virustotal.com/file/a7b59fc82da391ef02c17599eab59a7c07c44d60b4179d2a849ffe084df572d1/analysis/

     

    I didn't found any paritcular information about this threat but the Microsoft folks are recommending to block the autorun.inf since its usually come from removable drive...

     

    http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm:Win32/Gamarue.I



  • 13.  RE: Flash Drive Shortcut Virus

    Trusted Advisor
    Posted Feb 13, 2013 07:00 AM

    Has there been any update on this case quite interested in the outcome of this have seen a few instances.



  • 14.  RE: Flash Drive Shortcut Virus

    Posted Feb 15, 2013 10:55 AM

    Log from Process Monitor from one Windows 7 computer was uploaded to Symantec and that computer does not infect USB`s any more.I havent checked other Win 7 computers (no one has complaiend however)

    However there is a number of Windows XP SP3 computers that still infects USB`s.I have uploaded logs drom one XP machine and waiting for a sollution on that as well.I hope to close this case on Monday.