This is how we found and removed the W32/VBNA-X worm or sexy,x.mpeg,porn worm
Info on the Worm http://www.net-security.org/malware_news.php?id=2340 Clean up step 1 change GPO to disable autorun on all drives
find local dns servers or where gpo policies are pushed out from on the network
log in to the dns server
start up group policy editor
start
command line
type in gpedit.msc
Change GPO
Local Computer Policy
Computer Configuration
Administrative Templates
Windows Components
AutoPlay Policies
Turn off Autoplay
Double click on Turn off Autoplay
enable GPO
and turn off for All drives
Click Apply
Click OK
need to download a virus scanner that will help us out we used the emisoft emergency kit
once you have the zip file and unzip it you can move the directory to each server that you want to scan so you do not have to download each time
goto
http://www.emsisoft.com/en/software/eek/ and download emisoft emergency kit for free
once you have the zip file
unzip zip file
open EmisoftEmergencyKit directory
double click start.exe
Click on Emergency Kit Scanner
sometimes it takes a little while to open that is ok just wait
Click on Update now to get the latest signatures
Once all updated
click on scan pc on left hand side of screen
Click on deep scan
Click on scan
this will take a while so let it go on the server
the .exe worm/malware/virus variant has these files ..exe
tskoe.exe
autorun.inf
x.mpeg
porn.exe
sexy.exe
secret.exe
changed all files and directories to [file].exe
The file are not gone don't worry they are just hidden
Log on to servers where network shares are located this will need to be done to all servers
start up command window this will display all hidden files and in current directory
type
dir /ah if anything appears other than for example system folders then you are still infected
The follow command will unhide all files and directories
this sometimes takes awhile so let it go
also you might get errors that it can not do system files that is ok
The following command clears the system attribute, clears the hidden attribute,
include all sub-directories, and apply command to directories also
type
attrib *.* -h -s /s /d now what we did was move the exe files to another directory just in case
there where actual exe that people wanted
The following command creates a directory called exe
type
mkdir exe the following command moves all files .exe in current directory to new exe directory
move *.exe .\exe this will hide the exe directory so only you guys can see it and pull back what is needed
attrib +h exe If you know that all these files are corrupt then delete them out
this will take some time
on each server do a search for
autorun.inf you can open an inf file in notepad
now open each autorun.inf and see if it an actual autorun.inf
or if the contents do not look correct then close notepad and delete the autorun.inf file
also on each server do a search for
x.mpeg we found these and just deleted them
also on each server do a search for
secret.exe we found these and just deleted them
also on each server do a search for
porn.exe we found these and just deleted them
also on each server do a search for
sexy.exe we found these and just deleted them
also dont forget to make a log someplace that you have shut off autorun on all drives for later because someone might complain that there CD or DVD or usb just does not start up anymore they have to go and click on the files manually
If possible try to find computer 0
so you can ask them for there usb and also to check there home computer