Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

On WinXP school network: DriveProtect.exe (virus? worm?)


  • This topic is locked This topic is locked
1 reply to this topic

#1 DemiReticent

DemiReticent

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:12:51 AM

Posted 22 October 2008 - 10:19 PM

I cannot provide specific information about the software installed on the computers as I am posting from home and this site is blocked by the district's site filter.

A few days ago in computer science we sit down at our computers and suddenly everyone who plugs in a flash drive gets a notification from the antivirus software on the computers that our flash drives have a suspicious file E:\autorun.inf which "contains" the "MAL_OTORUN" worm. Of course, everyone is confused as, first of all, most of our flash drives never had an autorun.inf and just started simply from the standard interface. The antivirus program removed this file without further explanation (or any prompt) but the file kept coming back. After about half an hour, someone decided to unhide protected operating system files and found E:\System\DriveGuard\DriveProtect.exe installed on those suspect flash drives.

Someone else decided why not just delete it. Needless to say it came back almost immediately. Those more savvy of us went into task manager and found DriveProtect.exe running as a process (even when the flash drive was not installed). Some hunting around led us to C:\Program Files\WinDriveProtect\DriveProtect.exe (or something to that effect). We terminated this process and deleted the folder, then deleted the folder from the flash drive and restarted the computers. The problem was removed for the time being. Some students used combofix to get rid of the virus files and this seemed also to be a viable solution (and probably more complete because of the nature of the tool). The problem took two days to control because those infected were unwittingly bringing the virus back to the computer when the plugged in their infected flash drives. The program apparently installs itself via the autorun.inf on the flash drive and replicates onto flash drives via the running process DriveProtect.exe.

The virus has apparently spread to the library computers where much less computer-savvy users are likely getting infected. The question here is not so much whether there was an infection, but more the following:

- How can we remove the infection from the school computers without having to go through an act of congress with administration?
- How can we protect our flash drives from this drive-by install?
- How can we protect our own or other computers in the school from getting (re)infected?
- What does this virus/worm do (if anyone has any specific information) because all it seems to do for now is to replicate, but I highly doubt that's all it does.

Additionally, it should be noted that on infected machines the registry contains a key at:
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2"
which contains values referencing the executable on the E drive (or other flash drive letter as applicable), like the following:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2dd611c-0b40-11dc-bf14-0019d1772ee2}]
AutoRun\command- System\DriveGuard\DriveProtect.exe -run
Explore\Command- System\DriveGuard\DriveProtect.exe -run
Open\Command- System\DriveGuard\DriveProtect.exe -run

Copied from: "Malware Infection [...]" in HJT Logs...

Any help would be greatly appreciated.

-DemiReticent

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:01:51 AM

Posted 23 October 2008 - 03:50 PM

Per forum rules:

No subject matter will be allowed whose purpose is to defeat existing copyright or security measures. If a user persists and/or the activity is obviously illegal the staff reserves the right to remove such content and/or ban the user. This would also mean encouraging the use or continued use of pirated software is not permitted, and subject to the same consequences.

This includes your School. You must contact their IT department

Thread Closed
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users