USB Virus Description

USB Virus Description

Infections spreading through removable drives are still here for long, in every place where computers may be used by several persons :
cybercafes, media libraries, schools, associations, offices…
Spreading scheme :

schema01VUytL

 

  1. A clean key is connected to an infected PC (active infection)
  2. The malware will automatically create a copy of its malicious code on the key

To avoid being spotted, infection files have “hidden” attribute (H), so they can’t be seen by users.

 2014-03-18_125946

According to the different variant versions, these files are not the same; but very often, there will be an “autorun.inf” file which will allow  automatic launching of the infection when the key is connected.
The computer is now infected and will contaminate every peripheral connected to it.

If you’re lucky, infection will rapidly be detected, and you’ll be able to stop spreading; but sometimes, symptoms are not immediately noticeable.

Autorun.inf file

 

It’s a windows function, associated to double click when we open a media, file or folder, or when we connect a removable media : Automatic Execution.

When we double-click on a media, or drive, to open it, windows will search for the Autorun.inf file.
If not found, the media will simply open, but if it’s found, the instructions it contains, will be automatically executed.
This function is mostly used for CD-Rom drives to automatically launch a programm on the CD or DVD, but it can be used for any type of media, including for malicious intentions.

 

Infected autorun.inf

 

When we double-click on the letter of the volume to open, windows will find the Autorun.inf file, and execute the file AdobeR.exe, which will infect the whole system.
If we do not double-click, but use right click and choose “open” or “explore”, we by-pass the instructions of the autorun.inf, it’s a very convenient and easy way of avoiding infection.
To read the contents of an autorun.inf, open it with windows Notepad.

 

open-autorun

 

NB: All removable media can be infected : USB keys (or pendrives), external drives, MP3 players, digital cameras, flash cards, etc..
According to the different variations, in adition to the AutoRun.inf and .exe files, there may be other files with numerous attributes.

The infection may come with related files such as executable files with a folder icon, inciting users to open it to see what’s inside (may be Georges Clooney or Matt Damon with a cup of Nespresso, what else? )

and so, launch the infection. This is another method used by hackers, to by-pass deactivation of the Autorun.

 

Visible effects of this malware (depending on variations, of course)

 

  • The start page of the web browser may be modified
  • The title of an internet page may be modified (Hacked by Godzilla …)
  • Access to the registry or to the task manager, may be denied
  • UAC may be deactivated
  • Opening an infected key, we may see files and folders are only shortcuts.

 

shortcut virus USB

 

But if we display hidden files and folders, it’s quite different :
There are still the shortcuts, but the real files and folders are now visible, and we can see the malware here, is itunesHelper.vbe; if we also display the details, we can see it’s 68mo (quite big)

 

img04G6Dx

 

Invisible effects :

IceAge-II
ItunesHelper.vbe is a keylogger, it registers what users type, and transmits the information to the hacker, who so, will be able to use logins and passwords to connect himself to social networks, e-mail addresses, and the best of all, bank accounts …

 

What to do with these ?

 

Mostly, hackers do not use these logins by themselves, but resell them for spamming campaigns, for example, in which many firms are interested.
So, don’t be surprised to be called on the phone, by a company, you’ve never heard of before, generally at dinner time.

 

 How to avoid this type of infection?

 

  • 1 : Deactivate autorun

As we have seen, autorun executes the instructions contained in the autorun.inf file.  By deactivating it, the malware can’t be launched.

Deactivating autonrun, may be done trough the control panel, or directly in the registry (but this method requires a skill generally far beyond that of an average user.

Example of deactivation through the control panel under Windows 8 :

 

2014-03-18_122856

2014-03-18_123008

2014-03-18_123405

NB : You must do it for every account on the computer.

  • 2 : Do not use double click

As we have also seen, if yo open your media with a right click, and choose “open” or “explore”, The Autorun.inf file is by passed, and the malware cannot be launched (unless you’re too nosy, and want to see if Georges Clooney’s inside the folder on your pendrive)
Stage 3 above, is replaced by a new stage 3, and the PC is not infected.

 

sans-titre

 

To avoid your key to contaminate other PCs, you must vaccinate it

 

Vaccination does not prevent your key from being infected, but avoid it to contaminate other devices.

It consists in creating a false and harmless autorun.inf file.
which cannot be launched, deleted, or re-written; so the infection cannot be launched.

Vaccinate with UsbFix : View Tutorial

 

Vaccinate with Bitdefender USB Immunizer

 

Bitdefender-usb-immunizer

Download Bitdefender USB Immunizer from this link  and execute it

2014-03-18_145649

The tool recognizes immediately the removable medias to vaccinate (colored in green if already vaccinated, red if not)
Click on the red devices, they will be vaccinated

2014-03-18_145731

To activate automatic vaccination :

Click on “parameters” (the cogwheel on top-right)

2014-03-18_145817

On seeing the page under, set the cursor on “on”, that’s all.

2014-03-18_145846

If “hidden” files are displayed, you can notice the vaccine

vaccin-autorun
If you try to open or modify this autorun.inf file, you get this :

2014-03-18_150019

sans-titre

Scroll to Top