Based on our initial analysis WORM_VOBFUS variants seen spreading on Facebook does not exhibit new routines, but it is a good reminder for users about well-known but easily forgotten safe computing practices.
The significant increase in infection is curious because Windows 7 and Windows 8 PCs will not launch autorun.inf files, and Microsoft has released two patches for older systems. Therefore, security experts believe infections are happening through a combination of unpatched computers, shared folders and files and social media.Someone inserting a USB drive or memory stick carrying the malware can infect unpatched PCs. On other systems, an infection can occur once the malware travels to a network share and someone clicks on an infected file or folder.Clicking the malware on Facebook would certainly open a quick path to a shared folder on a corporate network, malware adds a registry key, so it can start when a PC is booted up. Variants of the application will disable Windows Update to prevent the victim from downloading patches to disable the malware.
WORM_VOBFUS, are known to propagate by taking advantage of Windows Autorun feature on drives. To address this, users are often advised to disable it to prevent their drives from being infected. For reason of inconvenience (or maybe forgetfulness?) users do not do so. However, users can disable Autorun, and in effect preventing worm from spreading, by doing certain steps... :-
Prevention :
Removable drives are one of the most common infection vectors for malware today. Worms propagate via these vectors to proliferate their payload and ultimately, infect more users.
Users need to perform some countermeasures to secure their systems. One way of doing this is to protect removable drives against worms using the Autorun feature.
Note: Make sure that your external drive is formatted using NTFS, as this procedure uses a specific feature of NTFS. If your removable drive is formatted using either FAT or FAT32, back up any data on the said drive first and reformat using NTFS. This may require Windows Vista or Windows 7.
The significant increase in infection is curious because Windows 7 and Windows 8 PCs will not launch autorun.inf files, and Microsoft has released two patches for older systems. Therefore, security experts believe infections are happening through a combination of unpatched computers, shared folders and files and social media.Someone inserting a USB drive or memory stick carrying the malware can infect unpatched PCs. On other systems, an infection can occur once the malware travels to a network share and someone clicks on an infected file or folder.Clicking the malware on Facebook would certainly open a quick path to a shared folder on a corporate network, malware adds a registry key, so it can start when a PC is booted up. Variants of the application will disable Windows Update to prevent the victim from downloading patches to disable the malware.
WORM_VOBFUS, are known to propagate by taking advantage of Windows Autorun feature on drives. To address this, users are often advised to disable it to prevent their drives from being infected. For reason of inconvenience (or maybe forgetfulness?) users do not do so. However, users can disable Autorun, and in effect preventing worm from spreading, by doing certain steps... :-
Prevention :
Removable drives are one of the most common infection vectors for malware today. Worms propagate via these vectors to proliferate their payload and ultimately, infect more users.
Users need to perform some countermeasures to secure their systems. One way of doing this is to protect removable drives against worms using the Autorun feature.
Note: Make sure that your external drive is formatted using NTFS, as this procedure uses a specific feature of NTFS. If your removable drive is formatted using either FAT or FAT32, back up any data on the said drive first and reformat using NTFS. This may require Windows Vista or Windows 7.
- Create a new folder in the root directory of the removable disk and rename it as “AUTORUN.INF.”
- Create four more folders in the same location and named it as “recycle,” “recycler,” “recycled,” and “setup” respectively. Note: The folders recycle, recycler, recycled and setup are optional but it is recommended for users to create these as malware often use these names/titles.
- Open a command prompt (cmd.exe) and go to the root directory of your removable drive.
- Set the folder attributes using the following DOS command:attrib autorun.inf /s /d –a +s +r
- Set the privilege level of the folder using the following DOS command:
cacls autorun.inf /c /d administrators - Select ‘Y’ and press enter when the message, “Are you sure (Y/N)?” is prompted.
- To test it, try to delete, modify, rename, copy, or open the created folder. If you cannot perform any of these functions, then the procedure is successful.
0 comments:
Post a Comment