New Malware That Hides Your Data

For the last day or so we've been fighting battles for multiple client locations that are infected with a malware that McAfee calls a variant of W32/autorun.worm.aaeb-h.  The malware seems to travel on portable flash drives as well as possibly coming in as an email attachment.  It changes the attributes of files and entire folders of data so that they seem to disappear and the replaces them with similarly named .EXE files.  When a user accesses an infected flash drive or an infected folder on a network share, other folders to which they are connected will disappear from view right before their eyes.  (Talk about freaking out users!)  It also appears to infect in such a way that other users that access an infected folder will see it propagate itself to even more folders.  You will have to use Command line DOS prompts to change the attributes of the now hidden files to restore them and then delete the replacement executables that all have identical creation dates and file sizes.

McAfee sent out their alarm fully 7 days after we first encountered it in the wild which underlines just how overwhelmed many A/V vendors are trying to keep up with the flood of new malware and their variants.  As recently as 2007, A/V companies reported a few thousand viruses and malwares per year.  Now we're seeing several thousand new items PER DAY!  This one is a new variant of a well-known malware but it's tweaked enough that it avoided the original counter-measures.

This guy is a real stinker to remove on even a mid-sized network because of it's use of autorun to spread itself around a network.  If you disable AUTORUN on your network via Group Policy you can slow down it's spread but get ready to spend some time going from PC to PC searching for the original infection point.  The McAfee countermeasure/removal tool is called Striker.