[Discuss] virus?

[blu at nedharvey.com (Edward Ned Harvey (blu))]

> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss-
> bounces+blu=nedharvey.com at blu.org] On Behalf Of Stephen Adler
> 
> The content of the Autorun.inf basically causes rundll.exe to execute.

Doesn't sound like normal behavior to me (I've never seen it before).  So yeah, most likely it is a virus.

Greg said scan it with AV so you can figure out how to deal with it - My experience is that this approach doesn't work.  I have cleaned hundreds of viruses, and I have 100% failure rate.  Even when you can identify a specific vulnerability that allowed a specific virus into a computer, and Mcafee or Symantec releases a utility specifically to eliminate that particular virus - and you clean the virus, apply updates and close the hole - Viruses always install additional hooks or backdoors in order to get themselves back in after cleaning.  The only effective defense is to completely nuke the affected systems after infection (reinstall the OS).  Run regular whole-system backups, try to prevent viruses getting in there (apply updates regularly, run antivirus) and then if something gets in, restore yesterday's backup.

Bill said thanks to autorun, most likely all the other windows machines are infected by now.  I believe this is false, depending on the version of windows.  Old versions would blindly and stupidly obey the autorun, but since Vista, they're much more restrictive and less likely to heed the autorun.  So your XP machines (which should be destroyed) are probably infected, and anything later is most likely not.  But the best way to detect is to run some AV on the clients.