Endpoint Protection

  • Private Community
 View Only

  • 1.  autorun.inf virus problem on server

    Posted Apr 14, 2011 10:02 PM

    I have been experiencing this for a week now. its a autorun.inf virus which contains IOSTREAM.exe file. that keeps running and creating .exe folders. Just hope you could provide me helpful solutions on this. Its being detected by symantec endpoint as w32.imaut but unable to remove totally the virus and it always run on the shared folder.



  • 2.  RE: autorun.inf virus problem on server

    Posted Apr 14, 2011 11:01 PM

    If the source file is confirmed to be an autorin.inf that keeps being created, I recommend that you make a folder of the same name and set it as Read-Only.

    Search for other machines that contains the malware or one that doesn't have SEP installed.

    Risk Tracer would really help you on this one, but you need to activate the firewall module.



  • 3.  RE: autorun.inf virus problem on server

    Posted Apr 15, 2011 12:20 AM

    First step would definitely be to disable autorun within your environment.

    There appear to be several variants of w32.imaut. You need to visit the writeup for the variant affecting your environment. Usually the Technical Details tab gives specific information on how it spreads, and information to assist in removal.

    sandra



  • 4.  RE: autorun.inf virus problem on server

    Posted Apr 15, 2011 03:36 AM

    You should also look into this:

    http://www.microsoft.com/technet/security/advisory/967940.mspx

    "

    Microsoft is announcing the availability of updates to the Autorun feature that help to restrict AutoPlay functionality to only CD and DVD media on supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. Restricting AutoPlay functionality to only CD and DVD media can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a USB flash drive, network shares, or other non-CD and non-DVD media containing a file system with an Autorun.inf file.

    "



  • 5.  RE: autorun.inf virus problem on server

    Trusted Advisor
    Posted Apr 15, 2011 02:00 PM

    Hello,

    Symantec Detects IOSTREAM.exe as w32.imaut.

    W32.Imaut / W32.Imaut.A is a worm that spreads via Yahoo! Instant Messenger and Microsoft Windows Live Messenger. The worm may attempt to download remote files on the compromised computer and disable Windows Task Manager and Registry tools.

     

    Here you have a AutoRun.inf issue and probably a Threat for sure.

    Try the following,

    1) Open the Autorun.inf in the Notepad. it will show you the name of the file which is infecting the machine.

    2) Right click on the bar and zip it. Open the zipped file and check if you see anything inside.

    3) Make sure you Disable the Autorun from all the drives with the help of GPO

    http://support.microsoft.com/kb/967715

    OR FOLLOW the Articles below

    Preventing viruses using "autorun.inf" from spreading with "Application and Device Control" policies in Symantec Endpoint Protection (SEP) 11.x

    http://www.symantec.com/business/support/index?page=content&id=TECH104909

     

    How to protect a USB Flash Drive from being able to auto-start with an unauthorized Autorun.inf file

    http://www.symantec.com/business/support/index?page=content&id=TECH98330

    to resolve the issue.

     

    4) Follow the Article to collect and submit all the suspicious files to the Symantec Security Response Team.

    Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

    https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec

     

    Hope this helps.