SecurityDaze: OLD WORMS DON'T GO AWAY

Monday, April 21, 2014

OLD WORMS DON'T GO AWAY

THEY JUST COME BACK ANOTHER DAY

TALES FROM THE VIRUS CRYPT:

Recently, someone I know ran across an old adversary - the AUTORUN.BI worm. On the radar from 2008-2011 we hadn't seen this on a customers computer for several years now, until last week!

Typically when a computer comes in with viruses a USB flash drive is popped in and various utilities are run. In this particular case my friend put his flash drive into the USB port and opened Windows Explore to view the contents of the drive. In a blink of his eye all of the utilities had changed to shortcuts [rather than actual .exe or .com files] - they were now useless. This is why techs carry a CD with utilities as well as a USB flash drive.

A quick look at the flash drive revealed that it's autorun.inf had been modified by a worm, which corrupted the files on the drive. If that flash drive had been put in another computer it would have infected it as well. Worms are a nasty lot, and here is one description of this worm taken from Microsoft:

Worm:VBS/Autorun.BI is a worm written in VBScript. It spreads by copying itself to the root of every writable drive as "nuevos !!!.hta".

Recovering from recurring infections on a network

The following additional steps may need to be taken to completely remove this threat from an infected network, and to stop infections from recurring from this and other similar types of network-spreading malware:

Ensure that an antivirus product is installed on ALL computers connected to the network that can access or host shares.
Ensure that all available network shares are scanned with an up-to-date antivirus product.
Restrict permissions as appropriate for network shares on your network. For more information on simple access control, please see: http://technet.microsoft.com/library/bb456977.aspx.
Remove any unnecessary network shares or mapped drives.

Note: Additionally it may be necessary to temporarily change the permission on network shares to read-only until the disinfection process is complete.

I colored part of the description in red because it's very important to note that it will copy itself to network shares [yes, your home setup is a network], meaning any drive it can write to, including:

Other computers on your home/work wired or wireless network

An external backup drive
A USB flash drive

If this was found on one computer, then it's likely to be on others so be alert!

'Nuff Said,

Brian

No comments:

Post a Comment

TOP TEN SECURITY TIPS

1. Verify that your wireless router is secured, has a name that does not indicate either your name or the router manufacturer, has WPS disabled, and the admin password is not the default password.

2. Keep your Anti-Virus up-2-date. If you have Symantec Anti-Virus 2011, purchase 2012, and when 2013 comes out, upgrade to it.

3. Quick scan your PC twice a month with Malwarebytes.

4. Update your Adobe Reader/Flash, and Java, directly from their websites. Do not trust the pop-up that says you have updates to install.

5. When a pop-up jumps onto your screen, if you don't know what it is, close it.

6. Outlook users (not Outlook Express), keep your "Viewing Pane" closed.

7. If your PC becomes infected, turn it off until a tech arrives.

8. Keep your data backed up, either via external USB drives, or an online service like Carbonite.

9. Don't be cheap. Free anti-virus software only protects you to a certain point. Symantec Internet 2012 will let you know if a link is good or bad when doing a search. If you consider the cost of the software vs. expensive and time consuming virus/trojan removal, it's a small price to pay.

10. Don't trust your email - too many emails which appear to be legit, are not.