We see an increase in USB-Based Malware Attacks lately.
Unfortunately,
in the last few weeks, I have seen many cases where the enabled autorun
feature caused A LOT of problems afterwards. This means that many are
not aware of the dangers yet.
For example.. Some scenarios I have seen in the last couple of weeks are:
*
Computer gets infected with Win32/Sality.NAR (NOD32 detection). This is
a polymorphic file infector which searches local and network drives for
files with the .exe extension and infects them by adding a new section
that contains the viruscode.
It also copies itself into the root
folders of removable drives using a random filename and creates an
autorun.inf file to make sure it runs whenever it is inserted into
another computer. It also disables most AV scanners by terminating their
services/processes, disables Taskmanager, disables Regedit and much
more to prevent it being detected or disinfected.
In this case, the
user had an USB flashdrive and used it to transfer removal tools etc in
order to remove this infection, since no scanners would work. What
happened was, since this virus also spreads via removable media, his USB
flashdrive became infected > result > His other computer was
infected as well!
We can stop the spread of Sality, but it would
take ages to repair the damaged files. So in sense, there is no way to
fix this virus.
* Computer gets infected with W32/AutoRun-OY -
This one also spreads via removable drives. This computer is used at
home and every user has its own account. Mom, dad, son and daughter. Son
loves to play games, but also loves to download games + cracks via
illegal resources.
And that's how the computer at home gets infected
with W32/AutoRun-OY. No detection since the Antivirus application that
was installed was only a trial and was already expired for more than a
year. Dad works for a big company and he tranfers his database+files
from the computer at work to an USB flashdrive so he can proceed with
his work at home.
The usb flashdrive gets infected when he inserts it
into the infected computer at home. Since no scanner (because it's
outdated) gives an alert and blocks the malware, there's no sign that
the computer + Flashdrive is infected.
Dad goes back to work, inserts
the flashdrive into his computer at work and... it gets infected as
well. No alert, nothing! It appears that the computer at work didn't
even have an Antivirus installed !! And, worst part of all was... Virut
was also present! See here for more info. This is imho a lost case, and
especially for business owned computers, it is irresponsible to clean
this up manually. Format and reinstall is the fastest and especially the
safest solution here.
So, who is to blame here? Imho, everyone is.
The son who is responsible for visiting illegal sites in order to
download his games + cracks, plus the fact that the Antivirus was
outdated, plus the fact that dad uses an USB flashdrive containing
corporate information and inserts it into the personal computer (see
here how to protect your data), plus the fact that the computers at work
didn't even have any protection/AV installed.
Anyway, this is so irresponsible, especially when company owned computers are involved.
*
And today, I have another case where someone gets infected with
W32/AutoRun-OY, where mom uses an usb flashdrive to transfer files to
use at work and is already complaining about the fact that there are
"problems". This thread is still in progress and I really hope this
isn't a lost case.
Please download
Flash_Disinfector from
HERE
- First, download it to your desktop.
- Now double click it to run it and will tell it you what to do when you open it.
- It will temporarily kill explorer.exe and your desktop will go blank.
- Let Flash_Disinfector do it's job and it will restart explorer.exe for you.
- It will make a dummy autorun.inf in the root of every drive.
- You can now delete Flash_Disinfector.exe.
http://www.howtogeek.com/howto/windows/disable-autoplay-of-audio-cds-and-usb-drives/ (applies for XP Pro since XP Home has no gpedit.msc present)
http://www.engadget.com/2004/06/29/how-to-tuesday-disable-autorun-on-windows/ (aplies for XP Home. Same can be used for XP Pro)
http://www.howtogeek.com/howto/windows-vista/disable-autoplay-in-windows-vista/ (applies for Vista)