Archive

Posts Tagged ‘anti-virus’

W32/autorun.worm.aaeb-h Outbreak

Nov 28, 2012 1 comment

I don’t typically post on virus or malware outbreaks because it would consume too much of my time and they are simply too frequently created. For the most part, if you run your network and systems with the concepts of defense in depth and principle of least access, you should be fine. And as long as you are not running as the local administrator of your workstation you should also be fine… But every once in a while a piece of malware becomes noteworthy…

In this case, W32/autorun.worm.aaeb-h infects both removable media and network shares by coping itself to those locations. Once copied, it modifies the permissions so the executable is hidden. When used with removable media (think USB flash drives, or even MP3 players), it will modify the autorun.inf to auto-run the executable. It will also infect files with common file types such as audio (mp3, wmv, avi) and documents (doc, xls, pdf).

The presence of the following file names will indicate you might have this worm:

  • Secret.exe
  • Sexy.exe
  • Pron.exe
  • Password.exe
  • x.mpeg

Defense:

  • Disable autorun feature
  • Prevent the use of USB media for mission-critical servers
  • Ensure scanning is enabled for removable media

Mitigation:

For more information on McAfee product coverage and mitigation for this threat, see PD24169 – Threat Advisory: W32/Autorun.worm.aaeb

Advertisements

Removing Trend Icon from SysTray on Terminal Servers

If you are using Trend Micro for Anti-virus on your terminal servers you should consider applying the following changes to remove the icon from running in the system tray.  It is inefficient and drags down performance to run this for everyone so it works best to remove it.  

Here are the changes:

If you are running Trend Micro on a Terminal Server, you should consider removing the systray process for monitoring Trend Micro on each user account.

REMOVE INI ENTRIES
notepad C:\Program Files\Trend Micro\Client Server Security Agent\ofcscan.ini
search for NT_RUN_KEY_FILE_NAME=pccntmon.exe and change to
NT_RUN_KEY_FILE_NAME=

NT_RUN_KEY_FILE_NAME=pccntmon.exe Removed by Admin

search for NT_RUN_KEY=OfficeScanNT Monitor and change to
NT_RUN_KEY=

NT_RUN_KEY=OfficeScanNT Monitor Removed by Admin

REMOVE REGISTRY ENTRY
regedt32
Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
remove OfficeScanNT Monitor