OptimusPrime

New Member
Hi all,

Has any seen this one floating around? When a USB is inserted in a machine all the files and folders turn into shortcuts and a hidden folder with .js files is created on the USB as well as the machine.

There are a tonne of ways to remove it but nothing really to totally prevent it from happening. Having trouble finding what the actual source is and what's creating the js files.

Regards
 

Littlebits

Retired Staff
What version of Windows did this happen on?

I'm thinking it had to be Windows XP because USB autorun is disabled by default on Vista, Windows 7 and 8.

The user would have to manually open the USB in Windows Explorer and manually run the infected file in order for this to happen on modern Windows.

Just connecting the USB device on modern Windows would not cause an infection unless the user has manually changed USB autorun settings or failed to apply Windows Updates that disabled USB autorun function.


Thanks. :D
 

OptimusPrime

New Member
Thanks you for your reply :)

This is on a Windows 7 in an enterprise environment, Autoplay is on but Autorun is disabled via group policy.

It's a very odd occurrence and has McAfee support team stumped as well. Hopefully a remote session with their engineer will give us more information.

It's very discreet in how it happens, user will plug a USB into a machine and when they access the USB they see all their folders have been modified. The user doesn't actually execute anything which makes it really odd.

I'll hopefully have some more information soon.
 

avkom

Level 3
Did you open Windows Explorer to browse the files in USB? Probably cpl icon loading vulnerability http://technet.microsoft.com/en-us/security/bulletin/MS10-046
 

OptimusPrime

New Member
Yes I'm sure the users would have done that. McAfee have just remoted in and also found a scheduled task that recreates the .js files if they are deleted. Thanks for the MS Article, it's looking like that at the moment.
 

TwinHeadedEagle

Moderator
Verified
Staff member
You probably thing about this infection --> http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AJS%2FProslikefan.C#tab=2

Next time use MCShield, and you will certainly be protected against such threats :)

MCShield Anti-Malware
 

OptimusPrime

New Member
Thanks, that sounds a lot like it. We are using McAfee VSE which was unable to pick up the worm from running. Should have an update that can soon hopefully it deploy mc2shield.
 

Littlebits

Retired Staff
OptimusPrime said:
Thanks you for your reply :)

This is on a Windows 7 in an enterprise environment, Autoplay is on but Autorun is disabled via group policy.

It's a very odd occurrence and has McAfee support team stumped as well. Hopefully a remote session with their engineer will give us more information.

It's very discreet in how it happens, user will plug a USB into a machine and when they access the USB they see all their folders have been modified. The user doesn't actually execute anything which makes it really odd.

I'll hopefully have some more information soon.
Possibly one of the users did run an malicious executable file and if on a shared network, it infected other systems. Another possibility is one of the systems on the share network was already infected and the malicious file copied itself to the USB device, which means the infection did not originate from the USB device. With auto run disabled it would be impossible for a malicious file to run on its own. Someone had to execute the process.

Anyway I would definitely recommend MCShield to users that regularly connect unknown USB devices.

Thanks. :D