Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

USB autorun infections


  • Please log in to reply
9 replies to this topic

#1 FrankOtheMountaiN

FrankOtheMountaiN

  • Members
  • 541 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY
  • Local time:06:50 PM

Posted 29 January 2011 - 11:49 PM

Howdy,
I am an audio visual tech, and I use many different laptops on any given day.
Call me crazy, but I do not use any virus protection by choice. I image the computers, and if things get really bad, I just go back to that.
I can't have messages and updates popping up all of the time, or anything doing things on their own in the background when I'm
streaming video or recording audio.

So, I am able to stay out of trouble most of the time, but the only wild hair is client USB sticks that are infected
with autorun malware. I always keep all hidden files showing so I can see when there are autorun.ini's and hidden bomb folders.
I disabled autorun on all laptops, but once in awhile, somehow, I still pick up a virus.

Microsoft put out patches for this sort of thing, and I applied them, but they don't seem to work on all of the infections.

My question is, do you know of any software that can scan/detect and remove these type of infections from any usb drive upon insertion?
Without being overly invasive to the whole system?

Thanks, Frank

Frank O' The Mountain
Doing more stupid before 5AM than most people do all day.


BC AdBot (Login to Remove)

 


#2 Beenthere

Beenthere

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 29 January 2011 - 11:56 PM

flash disinfector by subs

#3 FrankOtheMountaiN

FrankOtheMountaiN
  • Topic Starter

  • Members
  • 541 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY
  • Local time:06:50 PM

Posted 30 January 2011 - 12:10 AM

Well that kinda looks like a tool to run after you are infected. I'm looking for a program that will scan the usb drive before it autoruns.

I just make an empty autorun.ini file that is read only on my usb drives, but that won't work on the rest of the worlds incoming usb drives.

Frank O' The Mountain
Doing more stupid before 5AM than most people do all day.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,068 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:50 PM

Posted 30 January 2011 - 12:16 AM

For most novice users, the easiest way to inoculate a USB flash drive is to create a Read-only folder on the drive, name it autorun.inf. This folder will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and executing malicious files as described in How to Maximize the Protection of your Removable Drives.

Another option for XP users is Flash_Disinfector by sUBs which will create a hidden "dummy" autorun folder/file with special permissions in each partition and every external drive that was connected when the tool was run. Do not delete this folder as it helps to prevent the installation of a malicious autorun.ini file on the root drive and executing other malicious files which can infect the computer. For more information about this tool, please read this explanation by Papakid.

Some USB flash drives have a "write protect" read-only switch integrated on the side or on the back for preventing the content from being erased or overwritten. If you're not familiar with this feature, see Looking for a USB Flash Drive with Read Only or Write Protect Switch. However, even with such a device you still need to be careful when using public computers as explainend here.

If your USB drive does not have such a read-only switch, there are alternatives and third-party utilities which can provide this type of protection.IMPORTANT NOTE: DSi USB Write-Blocker advises USB devices you wish to write-block must be disconnected from the computer before the write block is enabled.

You can download and use Autorun Eater or Autorun USB Virus Finder which will allow removal of any suspicious 'autorun.inf' files they find. Panda USB Vaccine allows for computer and usb vaccination.
  • Computer Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not.
  • USB Vaccination disables the autorun file so it cannot be read, modified or replaced and creates an AUTORUN_.INF as protection against malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.

Always scan USB flash drives after they have been used with other computers and never connect them to an untrusted computer or one without an anti-virus. In fact, you can install USBVirusScan, a freeware tool that triggers your anti-virus to scan a USB drive each time it is inserted in your computer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 FrankOtheMountaiN

FrankOtheMountaiN
  • Topic Starter

  • Members
  • 541 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY
  • Local time:06:50 PM

Posted 30 January 2011 - 12:24 AM

Thanks for the info!

Frank O' The Mountain
Doing more stupid before 5AM than most people do all day.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,068 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:50 PM

Posted 30 January 2011 - 12:41 AM

You're welcome Frank.

I provided more than what you specifically asked for as other members read these topics and some of it may be helpful to those with similar questions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 PM

Posted 30 January 2011 - 03:56 AM

My question is, do you know of any software that can scan/detect and remove these type of infections from any usb drive upon insertion?
Without being overly invasive to the whole system?


I've written a free, open-source tool that prevents the execution of programs on USB sticks. How good are you at installing and configuring your own machine, because my tool comes without a setup program (that's by design)?

And I've another free, open-source tool that will launch an AV scanner on each inserted USB stick. You need to install a command-line AV scanner for this. Such a command-line AV scanner won't do anything in the background, because it does not install any drivers or services.

What's on the client USB sticks you receive? I assume its only media files?

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 FrankOtheMountaiN

FrankOtheMountaiN
  • Topic Starter

  • Members
  • 541 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY
  • Local time:06:50 PM

Posted 30 January 2011 - 10:13 AM

It might take me awhile to figure it out, but I'll try it. I glazed over a little with the instructions, but I was tired. I will try it. Will it work with malware bytes? If not what do you suggest?
I'm a persistent guy, and that's how I learned all that I know about PCs (by not giving up!) Thank you for your help.

Mostly PowerPoint and Word files on their sticks, but sometimes their whole life is on there too, along with the hidden autorun.inf and bomb folder.

Frank O' The Mountain
Doing more stupid before 5AM than most people do all day.


#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 PM

Posted 30 January 2011 - 11:29 AM

Will it work with malware bytes?


It should, but I believe you need to buy a Malware Bytes license to use the command-line parameters. USBVirusScan starts the AV via CLI.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:06:50 PM

Posted 05 February 2011 - 09:57 PM

Hi folks,
Please correct me if I'm wrong, but don't all AV scanners have parameters that allow users to invoke them from CLI?

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users