A few days ago in computer science we sit down at our computers and suddenly everyone who plugs in a flash drive gets a notification from the antivirus software on the computers that our flash drives have a suspicious file E:\autorun.inf which "contains" the "MAL_OTORUN" worm. Of course, everyone is confused as, first of all, most of our flash drives never had an autorun.inf and just started simply from the standard interface. The antivirus program removed this file without further explanation (or any prompt) but the file kept coming back. After about half an hour, someone decided to unhide protected operating system files and found E:\System\DriveGuard\DriveProtect.exe installed on those suspect flash drives.
Someone else decided why not just delete it. Needless to say it came back almost immediately. Those more savvy of us went into task manager and found DriveProtect.exe running as a process (even when the flash drive was not installed). Some hunting around led us to C:\Program Files\WinDriveProtect\DriveProtect.exe (or something to that effect). We terminated this process and deleted the folder, then deleted the folder from the flash drive and restarted the computers. The problem was removed for the time being. Some students used combofix to get rid of the virus files and this seemed also to be a viable solution (and probably more complete because of the nature of the tool). The problem took two days to control because those infected were unwittingly bringing the virus back to the computer when the plugged in their infected flash drives. The program apparently installs itself via the autorun.inf on the flash drive and replicates onto flash drives via the running process DriveProtect.exe.
The virus has apparently spread to the library computers where much less computer-savvy users are likely getting infected. The question here is not so much whether there was an infection, but more the following:
- How can we remove the infection from the school computers without having to go through an act of congress with administration?
- How can we protect our flash drives from this drive-by install?
- How can we protect our own or other computers in the school from getting (re)infected?
- What does this virus/worm do (if anyone has any specific information) because all it seems to do for now is to replicate, but I highly doubt that's all it does.
Additionally, it should be noted that on infected machines the registry contains a key at:
which contains values referencing the executable on the E drive (or other flash drive letter as applicable), like the following:
AutoRun\command- System\DriveGuard\DriveProtect.exe -run
Explore\Command- System\DriveGuard\DriveProtect.exe -run
Open\Command- System\DriveGuard\DriveProtect.exe -run
Copied from: "Malware Infection [...]" in HJT Logs...