Malware on a flash drive

Discussion in 'malware problems & news' started by razorboy, Dec 27, 2010.

Thread Status:
Not open for further replies.
  1. razorboy

    razorboy Registered Member

    Joined:
    Dec 26, 2010
    Posts:
    157
    Location:
    North
    I have not had a virus for years, but this Christmas I was hit with
    Win3e2/Kryptic and/or Removal Tool 2011 Trojan. I got rid of them using NOD32, Spybot, and Malwarebytes. However, I suspect that the virus came from an infected flash drive, which has data I need. How can I clean the flash drive without reinfecting my computer? I am assuming that the malware would transfer to the computer as soon as the flash drive was plugged into the USB port. Yes?

    Thanks for any suggestions.
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    scan the drive with the tools you have (as they already dealt with it)
     
  3. razorboy

    razorboy Registered Member

    Joined:
    Dec 26, 2010
    Posts:
    157
    Location:
    North
    Thank you - but might the malware transfer as soon as I insert the drive, thus necessitating having to scan the computer's drives again? I ask this because a FULL scan with NOD and Malwarebytes - which is what is required to find all components of the malware - takes a couple of hours, which is OK if I have to do it, but I'd rather avoid it.

    Thanks again.
     
  4. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Are you using latest nod32 (ver 4)? It should scan the usb drive the moment you plug it in and it will detect and block any malware it knows about. That should prevent malware transfer. Then scan the drive fully with it and other tools if need be
     
  5. razorboy

    razorboy Registered Member

    Joined:
    Dec 26, 2010
    Posts:
    157
    Location:
    North
    Yes, NOS v. 4.2.67.10. OK, I'll cross fingers and give it a go. I see the point, that it should work. Thank you. :)
     
  6. wtsinnc

    wtsinnc Registered Member

    Joined:
    Oct 3, 2008
    Posts:
    943
    The first thing you want to do is disable autorun.
    That will prevent the flash drive from running as soon as it's plugged in.

    Provided you have the capability to run the flash drive inside of a virtual environment, that is the safest way to inspect the contents.
    If not, plug the flash drive in (with autorun disabled) and scan each file using the AV/AM of your choice. I prefer doing this in safe mode.
    If malware is discovered, quarantine it for further analysis.

    Be sure to back up any critical files prior to the above, and good luck !
     
  7. razorboy

    razorboy Registered Member

    Joined:
    Dec 26, 2010
    Posts:
    157
    Location:
    North
    I should add that when the malware arrived, I was using Avira, out of laziness. Back to NOD I go.
     
  8. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    First disable autorun from flash, then insert USB, and scan it with mentioned scanners.
     
  9. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
  10. razorboy

    razorboy Registered Member

    Joined:
    Dec 26, 2010
    Posts:
    157
    Location:
    North
    Thanks for all this excellent advice. I will have a go at autorun later today.

    I am afraid that this: Provided you have the capability to run the flash drive inside of a virtual environment,..... is rather over my head. o_O
     
  11. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    I think he means inside Sandboxie or a virtual machine. Sandboxie can handle this sort of thing quite nicely.
     
  12. wtsinnc

    wtsinnc Registered Member

    Joined:
    Oct 3, 2008
    Posts:
    943

    Exactly. Thanks Scoobs72.
     
  13. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    You could install Panda USB Vaccine to easily disable Autoruns.
     
  14. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    If it were me, I would probably be so up-tight about the USB Flash Drive that I would boot a freshly downloaded DrWeb Live CD, plug in the USB Flash Drive while the CD is booting, do a Quick Scan of the PC and then do a Custom Scan of just the USB Flash Drive.
     
  15. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    IMO, beyond the current flash drive problem, is to prevent this from ever happening again. If you disable autorun, and keep your Windows patches up to date, you should be good to go in the future.

    And I agree that the Panda Solution is a good one. http://majorgeeks.com/Panda_USB_and_AutoRun_Vaccine_d6029.html
     
  16. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    A bit over the top isn't it? You have Sandboxie so why not force run USB drives in Sandboxie with start/run restrictions?
     
  17. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    I was thinking about what I would do if I did not have Sandboxie. I think that the OP does not have Sandboxie.
     
  18. razorboy

    razorboy Registered Member

    Joined:
    Dec 26, 2010
    Posts:
    157
    Location:
    North
    True, the OP does not have Sandboxie, nor have I had time to return to the problem at hand, but these suggestions about disabling autorun seem excellent.
    With XP Homely, it seems it has to be done with registry, which I will cut and paste from instructions. This raises a question: what not LEAVE autorun off? In future, one would just have to click on the drive in question to run the drive, yes?
     
  19. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    I would just leave Autorun turned off.

    If you are installing software from a CD/DVD, it will not Autorun the software installer. In that case you would just browse (using Windows Explorer) to the installer executable file located on the CD/DVD and run the installer executable file.

    If you want to turn Autorun on and off with "ease", you can install Panda USB Vaccine.
     
  20. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Apologies, I understand now.
     
  21. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Disabling Autorun

    There's a link to a thread i created earlier, lots of help from Wilders :D :thumb:
     
  22. razorboy

    razorboy Registered Member

    Joined:
    Dec 26, 2010
    Posts:
    157
    Location:
    North
    Life is complicated.......

    OK, regarding the interesting auotrun thread https://www.wilderssecurity.com/showthread.php?t=278499 , this raises two questions.

    (1) The disabling method from Raymond, http://www.raymond.cc/blog/archives...m-executing-instructions-found-in-autoruninf/
    advises
    The only downside of this is that if you insert a CD or DVD with software on it, you have to explore it by hand to find the setup program which I think isn’t a big deal compared to being infected by virus and having to spend hours to scan and clean it.

    I had already thought that it might be best to leave autoplay off. When Raymond writes explore it by hand to find the setup program, is he simply referring to clicking the drive in explorer in order to get the thing running?

    (2) I've read that autoplay is NOT the same as autorun. Huh? So, is autoplay a separate function which has to be disabled separately, as in
    http://www.mechbgon.com/build/autoplay.html ??

    Thanks again
     
  23. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    Autorun and Autoplay definitions:

    http://windows.microsoft.com/en-US/windows-vista/Whats-the-difference-between-AutoPlay-and-autorun

    How to disable Autoplay:

    http://www.howtogeek.com/howto/windows/disable-autoplay-of-audio-cds-and-usb-drives/

    How to diable Autoplay (Windows Vista, Windows 7(?)):

    http://www.howtogeek.com/howto/windows-vista/disable-autoplay-in-windows-vista/
     
    Last edited: Dec 28, 2010
  24. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    Protect your PC from infected USB drives and other removable media (disable autorun.inf)

    We all have heard of the term "disable Autorun" and that's what we need to do exactly, not disable Autoplay. It's a widely spread terminology mistake....even among many techies. And to make it worse, there's a "correct" way and a "wrong" way to do it - bet you didn't know that...

    Difference between Autorun and Autoplay:
    Autorun and Autoplay: screwed by terminology

    The "correct" way to disable it:
    The best way to disable Autorun for protection from infected USB flash drives

    Even better, read this:
    Why Disabling Autorun Only Helps The Viruses, and
    What You Should Actually Do to Protect Yourself.
     
  25. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    IMO, the info on this page has some incorrect information in it. The main one is... "There is no virus that employs AutoRun from an ordinary USB stick."

    Sorry but AutoRun absolutely spreads viruses. I've seen it with my own 2 eyes (more than once from different PCs.) IMO, it is the process most at risk of the three listed in the article. Thus all the talk all over the web about sealing off AutoRun (NOT AutoPlay) infection methods. (And yes, there is confusion between AutoRun and AutoPlay. But AutoRun is the risk we need to be primarily concerned with.)

    I do agree that AutoPlay can be the source for viruses too but it happens out in the open. IMO, this is not what sneaks up on most infected users. It's the AutoRun viruses that get them.

    And IMO, the final infection method (EDDC) is a form of AutoRun (the author even says so when he refers to "Autorun worms".)

    FWIW... This is also the method used by Panda and their USB Vaccine app (when you vaccinate the computer.)
     
    Last edited: Dec 28, 2010
Loading...
Thread Status:
Not open for further replies.