Loading...

Knowledge Center


Remediation measures - Stinger and Signed ExtraDAT for W32/Autorun.worm.aaea to aaem
Technical Articles ID:  KB76807
Last Modified:  02/13/2014
Rated:


Environment

McAfee Signed ExtraDAT
Multiple McAfee products

W32/Autorun.worm.aae-h

Variants and alternative threat names:
BackDoor-FJW
Generic PWS.ahn
PWS-FAFUVBObfus.ey
VBObfus.ez
VBObfus.fa
W32/Autorun.worm.aaea
W32/Autorun.worm.aaeb
W32/Autorun.worm.aaec
W32/Autorun.worm.aaed
W32/Autorun.worm.aaee
W32/Autorun.worm.aaef
W32/Autorun.worm.aaeg
W32/Autorun.worm.aaeh
W32/Autorun.worm.aaei
W32/Autorun.worm.aaek
W32/Autorun.worm.aael
W32/Autorun.worm.aaem

Summary

Updated: May 2013
All of the remaining variants listed above are now incorporated into the current DAT release. This article will be updated if new variants are identified and an Extra.DAT is required.  If required, it will be attached to this article.

Threat information
W32/Autorun.worm.aae* has the ability to infect removable media devices, as well as mounted network shares. Infection starts with manual execution of the infected file or by navigating to folders containing infected files, which is how the Autorun.inf file can automatically execute the malware. It can also add copies of itself in ZIP and RAR archive files. The threat also downloads other malware or updates to itself as directed by the Command-and-Control (C&C) server. For detailed information about W32/Autorun.worm.aae*, see Threat Advisory PD24169 and the McAfee Threat Library page (http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=1607456).

IMPORTANT:

  • Autorun.worm.aae* is server-side polymorphic. This means that its malicious files change regularly and you might find new variants that require analysis. If you believe you are dealing with a new, undetected variant, submit all undetected samples to McAfee Labs for analysis. For more information, see KB68030.
  • The ExtraDAT files and any of the custom Access Protection (AP) rules discussed in this article need to be tested locally before you deploy them company wide. See article KB76425 for details.

Suggested procedures
To block Autorun.inf, create a File/Folder Access Protection Rule:

File/Folder Access Protection Rule
Field Content to add
Rule Name field type
 Block Autorun.inf
Processes to Include
 *
Process to exclude
Stinger.exe, scan*.exe, mcshield.exe
File or folder name to block
autorun.inf 
File Actions to prevent

Select the following:

  • Read access to files
  • Write access to files
  • Files being executed
  • New Files being created


To prevent rar.exe from being run, create a File/Folder Access Protection Rule:

File/Folder Access Protection Rule
Field Content to add
Rule Name field type
Block rar.exe
Processes to Include
*
Process to exclude
Stinger.exe, scan*.exe, mcshield.exe
File or folder name to block
rar.exe
File Actions to prevent

Select the following:

  • Files being executed


To prevent new .exe files with the following names being created, create a File/Folder Access Protection Rule for:
  • Secret.exe
  • Passwords.exe
  • Porn.exe
  • Sexy.exe
  • X.mpeg

    NOTE: Create one rule for each file listed above per the example for the secret provided below.

Field Content to add
Rule Name
Block secret.exe
Processes to Include
*
Process to exclude
<leave this field blank> 
File or folder name to block
Secret.exe 
File Actions to prevent

Select the following:

  • Files being executed
  • New Files being created


To block Port 9004 create a Port Access Protection Rule: 
WARNING: Exercise caution when deciding to block these ports. For testing purposes, set the Access Protection rules to report only. If you find that the executables previously mentioned are communicating over ports 80 or 443, you can change the rule can to block and report.

NOTE: There have been instances of this malware also utilizing ports 8002, 8000, 3128, 47221, 9904, 80, and 443. You can use separate user-defined Access Protection rules for each individual port. Blocking of ports 80 and 443 is expected to cause communication issues within an environment. 

Port Blocking Rule
Field Content to add
Rule Name field type
Block Port 9004
Processes to Include
*
Process to exclude
<leave this field blank> 
Ports to block: Starting Port
9004 
Ports to block: Ending Port
9004
Directions

Select the following:

  • Inbound - prevent systems on the network from accessing these local ports
  • Outbound - prevent local processes from accessing these ports on the network


To protect the Windows Update Registry Key, create a Registry Access Protection Rule:

Registry Blocking Rule
Field Content to add
Rule Name field type
Protect noautoupdate
Processes to Include
Process to exclude
<leave this field blank> 
Registry key or value to protect
From the drop-down menu select: HKLM
Type the following:
  • \Software\policies\Microsoft\Windows\WindowsUpdate\AutoUpdate
Registry key or value to protect

Select Key

Registry actions to block Select the following:
  • Write to key or value
  • Create key or value


To protect the Explorer Advanced Registry Key, create a File/Folder Access Protection Rule:

Registry Blocking Rule
Field Content to add
Rule Name field type
protect superhidden
Processes to Include
Process to exclude
<leave this field blank>
Registry key or value to protect
From the drop-down menu select: HKCU, then type the following:
  • \Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Registry key or value to protect

Select Key

Registry actions to block Select the following:
  • Write to key or value
  • Create key or value


IMPORTANT:

  • The following rules are very aggressive. Only use them to stop the infection from spreading in your environment.
  • McAfee recommends you test these rules extensively. You might have to add exclusions to allow genuine application to still function.

File/Folder Access Protection Rule
Field Content to add
Rule Name field type
Block new exe in user account (aggressive - Windows 7)
Process to Include field
 *
Processes to Exclude field
Stinger.exe, scan*.exe, mcshield.exe
File or folder name to block
C:\Users\*\*.exe
File Actions to prevent

Select New Files being created



File/Folder Access Protection Rule
Field Content to add
Rule Name field type
Block new exe in user profile (aggressive - Windows XP)
Process to Include field
*
Processes to Exclude field
<leave this field blank>
File or folder name to block
C:\Documents and Settings\*\*.exe
File Actions to prevent

Select New Files being created


Create a rule in McAfee Security for Microsoft Exchange (MSME) to block the malicious attachment
In many cases, the Autorun worm is delivered as an email attachment. Create and apply the following file filter rule in MSME to help block the email from being delivered:

  1. From Policy Manager, click On-Access, then click Master Policy.
  2. In the Master Policy section click File Filter.
  3. Under File Filter rules and associated actions, select Create new Rule from the drop down menu.
  4. Type a name for the new rule (example: .pdf.exe).
  5. Check the box under File name filtering.
  6. Under Take action when the file name matches:, type *.pdf.exe, then click Add.
  7. Click Save to return to the View Settings section of the File Filtering dialog.
  8. Click the Change link beside the new rule and associate actions.
  9. Change the action in the drop down menu to Delete Message.
  10. Under And also:, select quarantine to allow any messages caught by this rule to be released later.
  11. Click Save to return to the View Settings section.
  12. Ensure that the Enable option is checked under the Activation section for File Filtering to be active.
  13. Click Apply.
For detailed information on configuring Host Intrusion Prevention (Host IPS) to block Autorun.worm (pdf.exe), see KB76929.

For detailed information on configuring EWS and MEG to block Autorun.worm (pdf.exe), see KB76926.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.
United States - English
© 2003-2013 McAfee, Inc.