MBA should have protection for autorun.inf in USB drives

[memoemc2]

Gooday mates:

Yesterday a mate called my and told me his laptop was infected.

His laptop had MBA full installed (real time protection) because I told him about it (it was my advise); his daughter connected a USB drive and it got infected; after that was chaos.

The pearl that infected my friend's machine was:

Worm:Win32/Vobfus.F

and the thing that amazed me was that MBA could not detect it, stop it and therefore clean/remove it !!!!

To me MBA is the best so please guys work about it, I'm a little bit disappointed

Thank you,

Memo

[Falkra]

Hello memoemc2,

Win32/Vobfus.F looks like antivirus naming, was this detection a message from antivirus software ?

It is possible that the antivirus was the first to identify and lock the file, therefore MBAM could not access it.

If you think MBAM missed some files and you still have them, you can upload the malicious samples here, they will be checked.

[Ibrad]

Win32/Vobfus.F looks like Microsoft Security Essentials Naming.

No program can detect 100% of malware. We try our best to keep up with malware writers but they release thousands of different types of malware daily.

[memoemc2]

hello Falkra:

You are right about your appreciation; and it happened like that:

1-My friend's daughter connected a USB drive to his laptop.

2-My friend's laptop got infected; it has Win XP SP3

3-His laptop had MBA full installed thus with real time protection and updated.

4-I tried to install MSS essentials and the malware didn't leave me do it; at this point almost nothing was working.

5-I restored his machine to a earlier date.

6-I successfully installed MSS essentials.

7-I made full scan and it found th worm named above. these were removed.

8-I connected the infected USB drive and MSS essentials identified and removed the same malware without problems.

9-I set a new restore point and I deleted all restored points stored.

10-the machine is clean

Then my friend was so pissed that he uninstalled MBA and leave MSS essentials; he even canceled a BBQ that we have planned.... bahhhhh

So, I trust more in MBA but what happened there??

Thank you.

PS

the worm info is in this link:

http://www.microsoft.com/security/portal/T...tID=-2147338704

[Falkra]

Win32/Vobfus.F looks like Microsoft Security Essentials Naming.

Well yes, but not only, there are other vendors that are using the same naming pattern and keyword for this one :

https://www.virustotal.com/analisis/1d4f353...dbeb-1263318306

Looks like MBAM knows this one :

http://www.malwarebytes.org/malwarenet.php?name=Worm.Vobfus

[Ibrad]

Every antimalware program will miss some threats. I see no reason why he should have uninstalled Malwarebytes. Malwarebytes is not an antivirus like MSE but Malwarebytes work next to your antivirus as another layer.

[Firefox]

It would be good if MBAM would scan those autorun.inf files before allowing the malware to install any malware from usb and cd drivers.....

[Porthos]

It would be good if MBAM would scan those autorun.inf files before allowing the malware to install any malware from usb and cd drivers.....

Autorun should have been disabled already.

[Firefox]

@ Porthos, yes I understand that, thank you, I use a flash drive that is write protected so I don't really have this problem, but it would be a nice feature for the unsuspecting users...

[Falkra]

By default, the resident module will scan files that want to be executed, and heuristics would do the rest, didn't they ?

[Blaze]

Another option is using Panda USB vaccine. It will disable autorun on your computer, so you won't get infected when inserting a USB drive or similar.

Afterwards you can do a scan on the USB drive with your Antivirus-protection & MBAM .

Information: Panda USB Vaccine information

Download: Download Panda USB Vaccine