[Discuss] virus?

John Abreau jabr at blu.org
Mon Oct 27 18:55:35 EDT 2014


If you make the top level directory read-only, then the infected client
won't be able to create those files there.

If that's not feasible, perhaps you could create dummy files with those
filenames and make those files read-only and undeletable.

The samba logs should show you which clients are creating those files, so
the users will know they need to disinfect their machines.



On Mon, Oct 27, 2014 at 6:21 PM, Stephen Adler <adler at stephenadler.com>
wrote:

> Guys,
>
> I'm not sure if this is the right forum to post this question, but here
> goes.
>
> I have a linux server box in my lab which I'm using to run a samba service
> and server up some disk space to some laboratory equipment which have
> computer consoles operating them running windows. As it turns out, on one
> of the equpiement, I mounted the samba served network folder and lo and
> behold Autorun.inf and a rundll.exe file suddenly appeared in the top level
> directory of the mounted network folder. I proceeded to delete the files on
> the linux side (on my linux server) and within seconds the two files
> reappeared.
>
> The content of the Autorun.inf basically causes rundll.exe to execute.
>
> I'm thinking I'm looking at a virus on the lab equipments windows PC doing
> its thing to propagate itself. If I plug a thumb drive into the equipment's
> PC, that'll copy those to files onto the thumb drive and my guess the
> rundll.exe code gets executed when the thumb drive gets plugged into
> another windows PC.
>
> Can you guys concur this? If I mount the network folder from my "infected"
> linux server onto another PC, will the Autorun.inf tell the 2nd PC which
> mounted this drive to execute the rundll.exe file? Or does this only happen
> when you plug a thumb drive in?
>
> Again, sorry if this is the wrong forum to ask this kind of question.
>
> Cheers. Steve.
>
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>



-- 
John Abreau / Executive Director, Boston Linux & Unix
Email jabr at blu.org / WWW http://www.abreau.net / PGP-Key-ID 0x920063C6
PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23  C2D0 E885 E17C 9200 63C6



More information about the Discuss mailing list