It wasn't an autorun. One that I have solid details on was a teachers machine. She had it on her machine and the tech forgot to check her flash drives when he imaged her machine. An hour later her machine is back on my radar for locking out a hundred user accounts. So I called her room and asked her and she said yes, she had copied her favorites to her thumb drive just and then transferred them back......
Autorun is very much turned off here and no one in her building is a local admin or power users. Hers was the only machine in that building that go it. We got it in several buildings at the same time, which was very interesting. I still have no idea what the original attack vector was. There were no outside vendors or laptops in that day. That's all I know man, I REALLY wish I knew more because while I am out of the woods on the immediate damage, I am certain I am still wide open to getting it again. > -----Original Message----- > From: Ben Scott [mailto:[email protected]] > Sent: Friday, March 20, 2009 2:51 PM > To: NT System Admin Issues > Subject: Re: April 1st Conflicker Version C to erupt > > On Fri, Mar 20, 2009 at 1:35 PM, Glen Johnson <[email protected]> > wrote: > > I can definitely confirm that a patched machine can get infected from > an > > infected flash drive. > > Any details on this? Is it the AUTORUN.INF thing, where simply > loading a USB drive causes Windows to go and run whatever the drive > says to? Or did the user manually double-click the Trojan horse > executable file on the drive? Or something else? > > Was it able to bypass anti-virus software and/or escalate its > privileges? > > -- Ben > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
