Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: McAfee releases extraDAT for W32/Autorun.worm.aaeb-h SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
McAfee releases extraDAT for W32/Autorun.worm.aaeb-h

McAfee released an extra dat this morning https://kc.mcafee.com/corporate/index?page=content&id=KB76807 for W32/Autorun.worm.aaeb-h

We've received a few emails relating to this, mainly because the formatting on some of the emails wasn't quite what people were expecting.  As far as I can tell it is legit.  I haven't found any evilness in the PDF linked to from the KB (at least there wasn't anything to find when I checked).

The KB also has an updated stinger file to remove the worm from the machine. 

If you have the issue at the moment you may want to apply the DAT, but otherwise you may wish to wait untill it rolls out as part of the normal update cycle.  In the mean time have a read of the KB and associated info and that will give you some info on determining if you have the issue in your network .

If you have been infected the malware guys and gals always enjoy plucking things apart so upload it via the contact form (zip file with a password of infected please).

 

Mark

 

Mark

391 Posts
ISC Handler
This sound similar to the Win32/Changeup virus that Symantec updated their dat files for yesterday morning. And from what I hear, BHP was hit by this pretty hard.
Anonymous
Is there a virustotal link that we can have a look at, please?

Ta
Anonymous
I agree with Jeretmy. Win32.Changeup!gen32 was the first thought that came to mind. Across the board, I'm not seeing much information on this variant.
Ron

29 Posts
Symantec has confirmed W32/Autorun.worm.aaeb-h is what they are calling W32.changeup. Reference -- http://www.symantec.com/connect/forums/w32autorunwormaaeb-h#comment-8023911
Ron

29 Posts
- https://kc.mcafee.com/corporate/index?page=content&id=KB76807
Last Modified: November 30, 2012
.
Jack

160 Posts

Sign Up for Free or Log In to start participating in the conversation!