Autorun viruses go rampant - pen drive infections!

Hi malware fighters,

We see a lot of autorun infections here in the virus and worms. Source of infection can be Internet cafe’s, e.g. in Cambodia, Malaysia etc. Flash drive infections usually involve malware that loads an autorun.inf file into the root folder of all drives (internal, external, removable). When the removable media is inserted, autorun looks for autorun.inf and automatically executes another malicious file to run on your computer. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled.

What to do next is being summed up in these links:

http://aumha.net/viewtopic.php?p=161909

http://www.bleepingcomputer.com/forums/lofiversion/index.php/t132923.html

polonus

Polonus,
The first link is a bit old.
I also notice that the person giving all the advice, apparently didn’t read the information
posted by the person asking the question ???

Hi bob3160,

The link maybe somewhat older, the tools used are still being used to-day, and are regularly being updated to meet the situation at hand. Well the second link sums up all the appropriate actions to take and tools to use in case of such an infection. How the malware helper is relating to the questions at hand is beyond my scope, it could well be that he handles first things first, and the thing at hand was the autoruns infector.
My reason for putting this posting here is a general heads up, because we get a lot of questions for help in the “virus and worms” from users having these problems,

polonus

This may be a silly question…but if autorun is disabled how do I access the usb or external hard drive? Do i just go to My Computer and find it there instead of having a windwo pop up and ask me what to do with what I just plugged in? I would like to protect myself against these types of viruses since I have to constantly move material between one computer and another.

Thanks for your patience

Thats correct,the cd drive/usb flash etc is still visible through my computer,its just the autorun feature that is disabled.Be careful when using Tweak UI,that you select to disable autorun ( Tweak UI > My computer > autoplay> drives and types ) and not the actual drives themselves ( Tweak UI > My computer> Drives). As the latter will completely disable the drive.Also,the drive letter of a removable drive may change,depending how many things you plug in or remove.

Hi malware fighters,

Rather interesting info can be found here about pen drive viruses:
http://nick.brown.free.fr/blog/2007/10/memory-stick-worms.html

polonus

Well, it’s easy to disable the autorun function. But what should I do? ???

I use my pen-drive not (mainly) as a storage device but as a portable office (http://portableapps.com/). It must run automatically.

Hi George Yves,

You get an answer here: http://blog.didierstevens.com/programs/usbvirusscan/
Here is a video instruction: http://www.youtube.com/watch?v=D-F7H9OJ1yg
Also have DrWebCureIt installed on your pen drive:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
Keep the latest version on it by overwriting any the previous version, it will do an automatic boot and memory scan before it starts,

polonus

Thanks for your reply, polonus.

As for USBVirusScan I can only advise its author to make a GUI and integrate his software with PortableApps (it’s too complicated for not-advanced users now :-\ )

As for DrWeb-CureIt: it’s my “must-have” :slight_smile:

Hi malware fighters,

Malware that spreads through the Autorun-function of Windows counted for 10% of all infections last month. Especially USB-sticks, digital photo frames, and Mp3-players had these attack vectors. “Portable e media last year became a substantial threat,” according to ESET’s researcher Paul Brook.

“The overall use of portable media makes that the autorun-function is the most popular item for malcreants. Only two solutions remain: completely uninstall the function or using a pro-active scanner,” states SpicyLemon’s Nienke Ryan.

Next the technical simplicity of USB-malware there is another cause. “Users were being told over and over again that e-mail was the main source of infections, making that old threats like floppies and diskettes were no longer remembered. That is why standard desktop security is of less importance for home-users.” This is remarkable because USB-malware is not mentioned where Kaspersky, Sophos and Fortinet are concerned,

polonus