USB viruses, BIG PROBLEM

Discussion in 'ESET NOD32 Antivirus' started by Maggio, Oct 20, 2009.

Thread Status:
Not open for further replies.
  1. Maggio

    Maggio Registered Member

    Joined:
    Oct 20, 2009
    Posts:
    7
    Hello,

    I have big problems at my work as I work as computer administrator and I manage about 200 computer. All of them have licensed version of NOD32 2.7
    The problem is with USB viruses. I turn of automatic play on computers but the viruses still infect the computers. Today I've infected my USB stick with some kind of virus that doesn't allow copy/paste on computer thaht it infects.

    So, my question is. Is there a solution, maybe we should purchase 4.0 version of NOD32, maybe NOD Internet security or can I only do something with the 2.7 version to stop spreading viruses with USB sticks?


    I only need to say thaht all the computers are using Windows XP SP2/3 and we don't have the domain, every computer stands by it self..


    BIG THANK YOU...
     
  2. Mister Natural

    Mister Natural Registered Member

    Joined:
    May 10, 2007
    Posts:
    225
    Location:
    3rd density St. Louis
    Uh, if you have a legal license for version 2.7 you can go ahead and download and install v4.
    V4 has an option to disable USB drives and better detection. You may want to keep any server on 2.7 and upgrade clients to v4.
     
  3. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Thinking the same thing. No offense but if you are still using 2.7 on 200 computers when 4 is out there, well, you wouldnt get a raise this year if it were me.;)
     
  4. Maggio

    Maggio Registered Member

    Joined:
    Oct 20, 2009
    Posts:
    7

    Well, I just got employed in this company. If You asked me, I would upgrade it to V4 as soon as it got out ;) There is a bit of chaos regarding the computer stuff here and I intend to get it in order...
     
  5. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    you are a good man. Seriously, version 4 is night and day compared to version 2. 4 is very good.
     
  6. Maggio

    Maggio Registered Member

    Joined:
    Oct 20, 2009
    Posts:
    7
    Thank You. I'll take care to upgrade all computers to V4 and avoid the big problem about USB viruses, because they are very often here and making me do a lot of undesired work when I have smarter things to do...
     
  7. Maggio

    Maggio Registered Member

    Joined:
    Oct 20, 2009
    Posts:
    7
    I see that in V4 there is advanced option to block rremovable media. I'm afraid that that is not the solution that I need. I can't disable removable media.

    I need to let the users to use USB removable media but I'm wondering will the V4 scan or block a threat when the user is attempting to copy or execute something from the USB stick infected with the virus??


    Thank You very much for giving me the support with my problem...


    And something else. I've noticed that to get infected with the virus from USB stick. You don't need to execute or copy something from stick. It's enough to open, or explore the stick and, ups, You are infected...
     
    Last edited: Oct 20, 2009
  8. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    The issue you are hitting is due to Windows executing the autoplay.inf file on the USB keys. If you are keeping your systems patched, Microsoft should have released an update that disables the autoplay functionality on mass storage devices that are causing problems on your systems. http://support.microsoft.com/kb/971029

    If you are running a proper domain then you should look at disabling autorun through policy completely.
     
  9. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    As has been noted, ESET NOD32 Antivirus and ESET Smart Security v4.0 have removable media control, which would allow you to block USB flash drives on the computers you support.

    Microsoft Knowledge Base Articles #967715, " How to disable the Autorun functionality in Windows" and #971029 "Update to the AutoPlay functionality in Windows" give information and tools for mitigating the risk of AUTORUN.INF-borne malware, as does this cyber security alert from US CERT, a federal government agenciy responsible for protecting computers.


    Regards,

    Aryeh Goretsky
     
  10. Maggio

    Maggio Registered Member

    Joined:
    Oct 20, 2009
    Posts:
    7

    .....
     
  11. Maggio

    Maggio Registered Member

    Joined:
    Oct 20, 2009
    Posts:
    7
    2 agoretsky:

    I shall try Your advices... TNX ;)
     
  12. Brambb

    Brambb Registered Member

    Joined:
    Sep 25, 2006
    Posts:
    411
    Location:
    The Netherlands
    V4 has (far) better detection and cleaning abilities then V2, so the nasties which have gone by V2 could be blocked by V4.

    Besides that, its not uncommon to block USB flash disks in company networks, not only for the risk of getting infected by malware from outside but also protection for your (network) data which can be easily transfered outside the company..

    If automatic play is turned off and V4 is set to scan all removal drives (default) your pretty much set with configuration options.
     
  13. Maggio

    Maggio Registered Member

    Joined:
    Oct 20, 2009
    Posts:
    7
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    V4 scans files run from removable media with maximum settings so if a threat is recognized either by heuristics or signatures, it will certainly be blocked. V2 would only detect it when already executed and copied to the disk (if ever).
     
  15. trevy71

    trevy71 Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    2
    I've V4 installed in most PCs but certain PCs still infected with the AUTORUN virus. I tried an infected usb drive on my PC (winxp pro sp3)with autorun disabled (followed instructions on how to disable autorun and had the newest patches installed). NOD32 V4 detected the virus upon insertion of the thumb drive but it seem like the antivirus software doesn't prevent the infection. When I checked on the processes, I could see 7698CE.exe was there !!!

    Below is the threat log.

    03/11/2009 2:12:09 PM Real-time file system protection file G:\autorun.inf INF/Autorun.gen trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\WINDOWS\system32\61D91B\7698CE.EXE.
     
  16. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    The thing is you already have the trojan on the disk and running:
    C:\WINDOWS\system32\61D91B\7698CE.EXE

    V4 has improved protection against threats running from removable media, but this one is run from your disk.

    If the file 7698CE.EXE is not dectected at all, submit it to ESET per the instructions here.
     
  17. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    The performance of the workstations can be night and day too. Depending on the age (thus horsepower) of the workstations he's in charge of..have some older single core or H/T P4s in there with under a gig of RAM...if he goes from 2.7 to 4.0 he'll be chased out of there by a bunch of angry staff members screaming about their computers being dog slow.

    On older PCs he may want to consider moving them up to version 3, and leaving only newer duo core or higher machines to version 4.
     
  18. trevy71

    trevy71 Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    2
    Hi Marcos,

    The PC is virus free. I've checked the processes before inserting the infected thumb drive. The 7698CE.EXE appeared only after the thumb drive has been inserted. Why wouldn't V4 prevented it instead of just triggering an alert :argh:
     
  19. The PIT

    The PIT Registered Member

    Joined:
    Sep 4, 2008
    Posts:
    185
    Time for http://www.malwarebytes.org/

    Then possibly combofix

    Also sounds like your company needs a policy on removable storage. Pity that write protective usb devices are hard to come by.

    It will also be worth having a look at the autorun.inf on the usb stick as the file name may give a clue what the virus is.
     
  20. BryanW

    BryanW Registered Member

    Joined:
    Oct 20, 2008
    Posts:
    24
    Our office computer was plagued by USB viruses until we installed ESET 3 then upgraded to ESET 4. Now it has been about 6 months without viruses and we credit that to ESET. We wish you well with your computers.
     
  21. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    If real-time protection is actually scanning files on removable drives, it was supposed to detect and block autorun.inf, no matter whether you use v2/v3/v4. You wrote that you had automatic media play disabled so I don't understand how autorun.inf could be triggered.
     
  22. neilsequeira

    neilsequeira Registered Member

    Joined:
    Jun 28, 2009
    Posts:
    8
    Use tweak UI to disable Autorun in removable drives. it does save u from getting infected. May help.
     
Thread Status:
Not open for further replies.