Prevent IFS Worms from Making Off with Your Critical Data

IBM i, Linux, AIX
March 9, 2017


Throughout the day, we all receive hundreds, if not thousands, of emails in our Inbox from various sources—including co-workers, customers, vendors, and more. We rely on our corporate mail server and our local PC virus scanning to protect us from threats that may be hiding in those emails. Our mail admins remind us time and again to avoid opening unsolicited attachments or clicking on links from unknown persons. Data is constantly flowing through web browsers, FTP servers, shared network drives, removable media, and many other avenues. Knowing that these are all paths to infection, we scan and secure them as well. But what about your IBM i?

In recent months, we have seen a rash of virus infections that have had a frustrating impact on the IFS for many customers. W32/autorun.worm.aaeh is a worm that spreads by making copies of itself on removable drives and mounted network shares (i.e. your mapped drive to the IFS) and embeds copies of itself in ZIP and RAR files. It will hide the directories on removable drives and replace those directories with copies of itself—using the same filename as the hidden directory—so that when a user opens the mapped drive, it looks like their folder; but it is really the virus. It also checks for certain file types, changes the attributes to hidden, and creates a copy of itself with the same filename as the hidden file. The result? When you try to access your file, you are instead launching the virus. And this is just on your IBM i. The issues caused on PCs run even deeper.

The clean-up process ties up massive man-hours and involves using WRKLNK to find the affected directories and remove the bad files, as well as running CHGATR command to change the attributes of all the hidden files back to their correct state. Along the way you must try to prevent users from launching copies of the worm again and undoing the cleanup already done. The good news is that the damage from this virus is superficial, if not annoying. The next one could be more like the MyDoom virus that deleted files from any mapped drive it found.

Can this be prevented? Yes, the spread and damage of a virus can be prevented with a combination of strategies. First, limit who has the ability to map a drive to your system. For those who do need this ability, limit what functions they are allowed to perform through that mapped drive. A virus launched on a PC has all of the authority of the User who launched it, so if you have someone with SECADM mapping a drive that connects automatically, you have the potential for big problems.

Second, implement a native anti-virus software package on your IBM i to scan your directories for viruses. Powertech Antivirus for IBM i allows you to take advantage of the IBM-supported on-access scanning to prevent the virus from spreading. On-access scanning is done in real-time as the file is accessed through the File Server and any file found to be infected is stopped dead in its tracks. It also allows you to scan your full system on a regularly scheduled basis to look for files that enter through the many other means available such as FTP, optical drives, backups and other.

You never know what is hiding on your system until you scan it. And with regulatory standards such as PCI-DSS requiring the deployment of anti-virus software, you’ll not only be cutting off threats such as W32/autorun.worm.aaeh at the pass, but also ensuring that your organization is fully prepared for reporting and audits.

Get Started

Insulate your business against the devastating impact of a security breach with virus protection software that can detect and remove malicious code with Powertech Antivirus. 

Stay up to date on what matters.