Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A USB infection... Maybe?


  • Please log in to reply
9 replies to this topic

#1 VicVegas

VicVegas

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornville, USA
  • Local time:03:41 PM

Posted 06 February 2011 - 07:29 PM

I just recently re-installed the OS on one of my brother's computers after a serious infection. Seems 100% clean by all my tests. But when I inserted his old USB drive Avira halted an autorun file from running, which is strange because I already had Microsoft disable autorun for me.

I then proceeded to have Eset, Malwarebytes, Super Anti-Spyware and even Avira scan the drive to no results. After that I checked the drive and found the autorun file, but it wasn't hidden and the date of creation appears to be back in 2007 which is older than when the laptop was purchased.

Am I missing something, or are there good autorun files that Avira also blocks? :huh:

BC AdBot (Login to Remove)

 


#2 VicVegas

VicVegas
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornville, USA
  • Local time:03:41 PM

Posted 09 February 2011 - 08:44 PM

Ugh, it's been a couple of days so I feel the need to bump now, even if I'm not supposed to.

Look, it's just a simple question. Yes or No?

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 AM

Posted 09 February 2011 - 08:50 PM

I don't use Avira but from what I have read you can change Avira's setting to block all autorun files. So this would mean that it will block goods ones as well as bad ones. You need to check you Avira settings.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:41 PM

Posted 10 February 2011 - 09:45 AM

Autorun is the feature (functionality) built into Windows that enables a CD-ROM drive or a fixed drive to specify a program to be started immediately upon the connection of the drive. Autorun will automatically run a program specified by the file autorun.inf whenever a CD-ROM or DVD is plugged into a Windows-based computer. Autorun is intended as a convenience to automatically start an installer when removable media is inserted into the computer but can be used for both legitimate and malicious purposes.

For flash drives and other USB storage, autorun.ini uses the Windows Explorer's right-click context menu so that the standard "Open" or "Explore" command starts the file. Some types of malware can modify the context menu (adds a new default command) and redirect to executing the malicious file if the "Open" command is used or double-clicking on the drive icon.

AutoPlay is the feature (functionality) built into Windows that detects and examines the content (Pictures, Music, Video files) on the CD-ROM, or other removable media and then launches an appropriate application to play or display the content. Each media type can have a set of handlers registered with AutoPlay which can deal with playing or displaying that type of media. AutoPlay can also give the user options based on the media type of files found. As a part of its functionality, Autoplay makes use of AutoRun but instead of automatically looking for autorun.inf, it considers the event in conjunction with the various programs registered on the computer. When you try to play a CD or another media type that uses autorun, AutoPlay asks you to choose to play the autorun content or to skip it.

Tools to deal with and remove suspicious autorun.ini files:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 VicVegas

VicVegas
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornville, USA
  • Local time:03:41 PM

Posted 11 February 2011 - 05:00 PM

Autorun is the feature (functionality) built into Windows that enables a CD-ROM drive or a fixed drive to specify a program to be started immediately upon the connection of the drive. Autorun will automatically run a program specified by the file autorun.inf whenever a CD-ROM or DVD is plugged into a Windows-based computer. Autorun is intended as a convenience to automatically start an installer when removable media is inserted into the computer but can be used for both legitimate and malicious purposes.

For flash drives and other USB storage, autorun.ini uses the Windows Explorer's right-click context menu so that the standard "Open" or "Explore" command starts the file. Some types of malware can modify the context menu (adds a new default command) and redirect to executing the malicious file if the "Open" command is used or double-clicking on the drive icon.

AutoPlay is the feature (functionality) built into Windows that detects and examines the content (Pictures, Music, Video files) on the CD-ROM, or other removable media and then launches an appropriate application to play or display the content. Each media type can have a set of handlers registered with AutoPlay which can deal with playing or displaying that type of media. AutoPlay can also give the user options based on the media type of files found. As a part of its functionality, Autoplay makes use of AutoRun but instead of automatically looking for autorun.inf, it considers the event in conjunction with the various programs registered on the computer. When you try to play a CD or another media type that uses autorun, AutoPlay asks you to choose to play the autorun content or to skip it.


Tools to deal with and remove suspicious autorun.ini files:

So it should be normal? Avira blocks all the programs that are meant to help as well, y'know the ones that stick autorun.inf files on your comp and usb to prevent infection. Wait... if an autorun.inf is already built into the USB, how would it even get infected?

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:41 PM

Posted 11 February 2011 - 06:28 PM

A flash drive (usb, pen, thumb, jump) infection usually involve malware that modifies/loads an autorun.inf file into the root folder of all drives (internal, external, removable) along with a malicious executable. When removable media is inserted (mounted), autorun looks for autorun.inf and automatically executes the malicious file to run silently on your computer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 VicVegas

VicVegas
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornville, USA
  • Local time:03:41 PM

Posted 15 February 2011 - 07:14 PM

A flash drive (usb, pen, thumb, jump) infection usually involve malware that modifies/loads an autorun.inf file into the root folder of all drives (internal, external, removable) along with a malicious executable. When removable media is inserted (mounted), autorun looks for autorun.inf and automatically executes the malicious file to run silently on your computer.

I just can't feel comfortable using any of the programs you suggested. They all get blocked by Avira (except for Panda which I haven't tested) and have had multiple people give reviews stating they contained trojans. Is there any way I can look at it in wordpad without executing it and find out if it's malicious?

I think Budapest did the best job of answering my original question. I was giving all the facts about the file in question and simply wanted to know how likely it was to be an infection. I'll check to see if Avira is set to block all.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:41 PM

Posted 15 February 2011 - 07:50 PM

The autorun.inf file can be opened using a text editor (i.e. notepad) by right-clicking on it and choosing Open With in the context menu. This allows you to read its contents which would look similar to this example:
[Autorun]
Open=StartPortableApps.exe
Action=Start PortableApps.com
Icon=StartPortableApps.exe
Label=PortableApps.com

Who is the manufacturer of your USB drive? You can check the vendor's web site which in most cases provide information if they include an autorun.inf file (or any other files) on their flash drives.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 VicVegas

VicVegas
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornville, USA
  • Local time:03:41 PM

Posted 15 February 2011 - 09:30 PM

The autorun.inf file can be opened using a text editor (i.e. notepad) by right-clicking on it and choosing Open With in the context menu. This allows you to read its contents which would look similar to this example:

[Autorun]
Open=StartPortableApps.exe
Action=Start PortableApps.com
Icon=StartPortableApps.exe
Label=PortableApps.com

Who is the manufacturer of your USB drive? You can check the vendor's web site which in most cases provide information if they include an autorun.inf file (or any other files) on their flash drives.

The heck, avira blocked me from opening in notepad too?! :huh:

As for the manufacturer, it's my bro's USB, I'll ask him to let me look at it again in a bit.

Edit: I may not be able to check this again for a while. My brothers has Aspergers and he only lets me look at his laptop at certain times. <_<

Edited by VicVegas, 15 February 2011 - 09:33 PM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:41 PM

Posted 15 February 2011 - 09:54 PM

I would submit a sample of the file to Avira's labs so they can analyze and investigate it. To do that, please refer to Suspicious Files and Miscellaneous Uploads: Submit a Sample.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users