W32/autorun.worm.aaeb-h Outbreak
I don’t typically post on virus or malware outbreaks because it would consume too much of my time and they are simply too frequently created. For the most part, if you run your network and systems with the concepts of defense in depth and principle of least access, you should be fine. And as long as you are not running as the local administrator of your workstation you should also be fine… But every once in a while a piece of malware becomes noteworthy…
In this case, W32/autorun.worm.aaeb-h infects both removable media and network shares by coping itself to those locations. Once copied, it modifies the permissions so the executable is hidden. When used with removable media (think USB flash drives, or even MP3 players), it will modify the autorun.inf to auto-run the executable. It will also infect files with common file types such as audio (mp3, wmv, avi) and documents (doc, xls, pdf).
The presence of the following file names will indicate you might have this worm:
- Secret.exe
- Sexy.exe
- Pron.exe
- Password.exe
- x.mpeg
Defense:
- Disable autorun feature
- Prevent the use of USB media for mission-critical servers
- Ensure scanning is enabled for removable media
Mitigation:
- Block access to TCP Port 9004 outbound
- Run McAfee’s free Stinger tool to detect and remove this worm: https://kc.mcafee.com/corporate/index?page=content&id=KB76807
For more information on McAfee product coverage and mitigation for this threat, see PD24169 – Threat Advisory: W32/Autorun.worm.aaeb