Pendrive autorun viruses

Follow these tips to avoid infections from pendrives and also see tips on how to remove autorun based viruses.

  • Always scan the media before accessing its contents. Keep your antivirus up to date. If you find that the icon of media has been changed from default drive to a folder or something, that means you are carrying an infection in your drive.

  • Instead of auto running the device, click on explore, this avoids malicious code from being executed by mistake if it escapes anti virus data base. Upon right clicking on your media, if the there is autorun on top instead of open or when some unknown language being displayed, be certain you have a virus waiting to execute on double click.
  • Beware of suspicious looking files. Always uncheck the “hide extensions for known file types” option in folder options. This lets you keep an eye on suspicious stuff like a folder with “.exe” extension, a media file with “.avi.exe” extension etc. Same implies to New folders that pops out of nowhere. Usually virus files set themselves super hidden attributes to avoid being seen.

Note: Super hidden files means system files, i.e. those files that comes visible when you go to tools-folder options-view-and tick show hidden files and folders and untick hide operating system files. In DOS it is called SH attribute, SYSTEM HIDDEN or nick named super hidden.

After enabling show hidden, uncheck hide protected OS files and uncheck hide extension, delete all folders carrying a .exe extension. Also delete the COM, BAT files and recycler folder in the pendrive.

Note: Recycler folder is present on NTFS volumes and it is the space you allot to recycle bin for that drive. A recycler folder on your partitions is a system folder, which stores the files in your recycle bin. But we know when we delete the files from pendrives, they are permanently deleted, doesnt go to recycle bin, hence this means there is no system recycler folder on pendrive. Also, pendrives are usually formatted in FAT system, and in FAT, there is no recycler folder, its called RECYCLED there! Thus,  any recycler folder on a pendrive got a trojan inside it, which is usually run by autorun.inf files.

  • Keep track of files that you have on your pen drive/hard disk. Any new file with a suspicious extension should be avoided to be innocently checked.
  • There may arise an occasion when you see that opening your folders take a hell lot of time in your pendrive. Point to any folder and see its size. If a folder containing a movie shows a size of 300 Kb to 1 Mb, this means your pendrive and your PC is infected now. These kind of viruses when they enter our pendrive hides all folders available in it and set up their off springs which are .exe files but carry icon of a folder and names of your folder. When ever you double click these files, tricked that they are your folders, the code executes and then the virus takes you to the folder which is actually hidden to avoid suspicion.

Or there may be a lucky occasion that on scanning your pendrive before access, your antivirus detects a lot of infections and deletes them. But on opening your pendrive you find all your folders missing. They are actually super hidden now.

In case you find that your system isn’t showing you hidden files/ super hidden files, that means your system is in grip of an infection or an infection had made a malicious entry in system registry.

Firstly download Malwarebytes, install it and run a full scan. Then download the registry defaults tool and run it to restore registry defaults, this enables the disabled features. Restart to fix the issue.

But if you want to change back the attributes of the SH folders and files back to normal, it cant usually be done by file\folder properties. Use command prompt and attrib command to do that. Open a new cmd window and write & execute this command-

attrib -s -h -r X:\*.* /s /d

where X: is the drive letter of your removable media.

  • In case you end up executing a suspicious code, check in task manager if you got a new process running. It can stopped temporarily from there. But the damage to registry can’t be easily undone. Use application like process manager if you find your task manager has been disabled. Use kill box to delete the malicious file. In case you arent comfortable removing it manually, scan PC with Malwarebytes.
  • Always try to recognize processes in task manager from time to time, especially when you install new applications. This helps you identify foreign processes running in case of a virus infection. Enthusiasts can use the application InstallRite to keep eye on all files and registry entries copied by an application install. Half the job is done when you identify the virus in processes.
  • Create a folder AUTORUN.INF in all your drives and hide it for convenience. ( E.g. – create the folder just inside C: drive, another in D: drive etc.) This makes sure that malicious codes aren’t able to autorun themselves on double clicking the drives. Same case implies to your pendrives, create a folder of specified name and avoid malicious code execution.

Note: Many viruses that spread from flash drives use a mechanism of autorun to spread. They copy themselves to target drive and make a autorun.inf file having code that makes the virus execute whenever the drive is double clicked (note carefully, it’s a file not folder). If we have made a folder named AUTORUN.INF, already present in our drives, the autorun.inf file made by virus can’t be created, since a folder and a file can never have same name at same location. A file can replace a file, a folder can replace a folder, but a file can’t replace a folder. Hence, even though the virus copies itself to your pendrive/system drives, it isn’t executed even on double clicking the drive.

If your drives aren’t opening on double clicking or opens in a new window, there must be a super hidden autorun.inf file in your drive root. Search for it, delete it and restart. This fixes the problem. You can also use killbox to delete the autorun.inf files as shown below-

  • Ever annoyed by file not getting deleted, renamed, or pendrive being not safely removed with file in use error? The solution is- Unlocker. This little tool installs a explorer extension that comes visible when you right click on a file or drive. Unlocker displays all the processes using (or locking) the file/ folder/drive. This locking handle can prevent the file from being deleted or renamed or prevents the pendrive from being safely removed with drive/ file in use error. In that case, just right click on the object and click on unlock. A list of applications using the object is displayed. Click unlock all and proceed.
  • Keep an eye on applications registered at startup using the tool Autoruns. Find them in logon tab. If you ever feel you executed a malicious file, check the startup and delete the malicious file autorun entry ( remember to see the key too, since it points to address of malicious file, which too has to be deleted ).
Advertisements

ERADICATE MALWARE

malware

If someone says that he never encountered a malware infection on his PC, probably he is lying. What ever antivirus you use, at some point of time, you will face this occasion that PC gets infected and your antivirus never detected it. Modern day heuristics enabled antivirus have reduced such chances, but most of the time its not so. The strangest thing about malware is that you feel their presence without any diagnostics! May be that’s because of the resonance that we develop with our PCs over time…!

Let’s first learn what malware are…

Types of malware:

  1. Virus: A virus is a malicious program that can replicate itself and affect normal operations of a system without knowledge or permission of the user. It attaches itself to executable code and runs every time the code is run, making multiple copies of itself. It corrupts the files, denies access to data and hence renders data useless.
  2. Worm: Unlike a virus, a worm is independent and doesn’t attach itself to any file or code. It is capable of spreading without need of any host file. It replicates by copying itself through network. Worms prominently attack only networks, sending its copies to all users in your address book, causing DoS (Denial of service) attack and affecting your internet functionality.
  3. Trojans: As the name goes, it hides inside a seemingly legitimate program and runs malicious code from there. Once run, the host computer gets infected and it starts replicating. It performs various activities like sending your data to its creator, or logging what you type (your passwords, bank account details) and sending them to its creator without your consent. It can even cause damage to your data by simply deleting it. Trojans have capability to change their code to trick the antivirus programs into not detecting them. Some are even scheduled to strike at preset dates.
  4. Spyware: Very similar to Trojans, these applications are solely designed to steal your data. But unlike Trojans, they don’t have the capability to replicate themselves.
  5. Cloaked malware: These are the new generation malware that are becoming a nightmare in computing sector. Cloaked malware are Rootkits that are invisible to windows explorer and hence to antivirus. They run hidden from task manager making it difficult to mark its presence. Its files are hidden on system and thus antivirus doesn’t detect them.

So, these are malware. Once executed by us, they go active in system memory, multiplying and applying constrains to privileges and adding entries to registry to make sure that are run at least once when system starts. They add malicious entries to registry to make sure that they are masked by disabling task manager, registry editor and folder options.  They make files that enable them to be executed when drives are opened and continuously monitors ours system to gain chance to spread. But how do we identify their presence in our systems?  These are the symptoms….

Identification:

i. Unrecognised processes and files: The presence of unrecognised processes running in task manager or presence of unrecognised files on drives marks presence of malware.

The key to identifying the presence is to keep vigil on the processes that run in back ground. This begins from day you install a software, see what process it runs. Also remember what all files you have present on your hard drive. Any new file or folder with .exe extension, anything with provocative name or cute icon can potentially be a result of infection. In event of task manager being disabled, process explorer by sis internals can be used to analyse processes running.

 

ii. File and system behaviour: If you ever notice that drives open in new windows, system taking more time during startup, CPU showing excessive activity even on no load or files or folders reappearing even after deleting them or not getting deleted at all, there is a high probability that your system is infected.

Files in pendrive disappearing and being replaced by smaller folders (with .exe extension if noticed) very clearly indicated presence of malicious code.

File activity can be detected by using the application filemon. An expert view on file activity can easily uncover malicious activity.

iii. Network activity: If you get complaints that some of your friends are getting strange e-mails from you, with links to unknown sites or strange file attachments, this could be a worm at work.

Increased network activity noticed in portmon etc also implies presence of network worms.

iv. Reduced privileges: Getting error messages of “ ….disabled by administrator….” on running RUN , Task manager or accessing Registry editor etc plainly implies your system is infected and malicious entries made in registry.

v. Malicious entries in registry: Same implies when you get errors on startup like file not found etc. This is because of malicious programs making entries in registry to auto start at system startup. This can also be analysed by using the application autoruns from sis internals suit. Or simply run MSCONFIG in run menu and check startup applications.

These symptoms confirm presence of malware in your PC. Now that you know that you two aren’t alone, how do you zero in on the culprit, keeping in mind that your loyal antivirus let it in? Here under is a step by step procedure to catch the culprit and to kick it out. Stop all other applications and disconnect the internet. Keep your weapons handy…….. War has begun!

Eradication of malware:

i. Identification of process in memory: Once executed, the conventional malware tend to be active in system memory, running a process that carries out the task the malware was designed to do. Nowadays it is common that malware alters registry to disable task manager, Run and registry editor, hence use process explorer to view active processes in memory. Tips to identification includes-

a. Usually a few malware are easily identified by very high CPU usage even when you aren’t running any CPU consuming application.

b. Many carry names that are suspicious to even laymen. Some include Khatarnak.exe, khatra.exe, music.exe, new folder.exe, soundmix.exe, etc. Most of them run under the explorer section in process explorer.

c. Smart viruses today carry names that are spoofs of windows processes. Like Regsvr32.exe is a windows application, but virus carry name Regsvr.exe. Similarly a malware spoofs the name of windows service host svchost.exe and run a process svcshost.exe. In such cases identification becomes tough and depends more on your experience and logical approach. Obviously a process Regsvr.exe isn’t expected to run always in your system. And a service host with odd spelling that runs under explorer is suspicious. Assistance can always be taken on-line regarding any suspicious process.

d. Repetitive processes of same name present in memory, when just one or no such application is running, also points out that the process is malicious code. But svchost.exe is one exception, with 5 such processes running at a time.

e. Reverse analysis can be made by identifying all legitimate processes and their triggering applications to identify the left out applications as suspicious.

f. Cloaked malware aren’t easily identified since they run hidden from explorer. Their files and memory residency isn’t visible. Hence, their presence is hard to verify. The sis internals tool Rootkit revealer does a good job in detecting Rootkits. It scans registry and file system for discrepancies and lets us know possible Rootkits that are actually present but not mentioned in windows API. Extreme caution should be taken while taking any action based on its result, since it just gives a probable result and not certain. Rootkits are those set of malware which I suggest are better removed using antiviruses.

Having identified the malicious process in memory, the next task is to know where it is executing from. This can easily be verified from process explorer.

ii. Stopping the malicious code execution: The next step is to stop the execution of malicious code. The malicious code as long as active in memory can keep multiplying, and monitors system to maintain its malicious action and keeps vigil on registry, not allowing it to be rectified. This task can simply be done by task manager/ process explorer or may even need a boot from secondary device.

Note: Now on, don’t open any drives by double clicking on them, since this can trigger drive autorun which is usually linked to auto running malicious code using an autorun.inf file. Open drives by address bar or explore instead. Do not open any new folders etc, since they can probably be masked Trojans having folder icon!


a. The basic step is to end task the identified malware to stop its execution. This can be done directly by process explorer .In case a new malicious process pops up on termination of the first process, probably its running from another location. End task that process too. Preferably end task the process tree, but be sure you have noted down where from it is executing.

b. In case the process keeps on starting again and again, it probably got another file backing it up. In that case, using killbox, end process and delete the file. To use killbox, it is required to know the location of the file, which is obtained from process explorer.

Note: Even if file was end tasked in step a. , it has to deleted using killbox. The reason killbox isn’t given priority to end explorer shell is that while deleting the file with ending explorer shell, it restarts the windows explorer, which is often accompanied by malicious code executing again. The best way is to end task the process using process explorer, delete it using killbox. If file is in use, unlock it using the tool Unlocker, and then delete it.

c. Some smart malware can’t be deleted even using killbox, sighting privileges issues. Then it is required to boot from a secondary device, preferably Bart’s PE live CD and delete the malicious files.

d. Rootkits once identified can be deleted the same way as above using killbox or by boot through a secondary device. Since the process they run is hidden, it becomes tough verifying if the malware execution has stopped or not. Rely on your instincts to see if every thing is ok or assume at this stage that malware is not active in memory now.

iii. Regaining authority: Malware usually limits our privileges to make sure it is hidden or cant be detected. These include disabling task manager, Run, registry editor or disabling registry import etc. The next step is to regain control of our system.

a. In run type,

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

And run the command. This removes the entry in registry that had disabled registry editing. Now registry editing is allowed, though windows registry editor may still be disabled.

Note: Type the above command in a notepad and store it. Change extension to .bat , you get your own registry editing enabler tool!

b. Download the RatsCheddar tool and run it. This enables registry editor, task manager, folder options.

At this stage if you realise that restored defaults are altered once again to impose restrictions, this means malware is still active in memory. Repeat the identification and stop its execution.

iv. Removing supporting restart mechanisms: Now that malicious code isn’t active in memory, the next step is to remove its supporting mechanisms. Every malware once executed, makes sure that it is executed at least once on every system start up. This is achieved by entries in registry or modifying autoexec.bat or config.sys etc. Entries in registry are the most preferred option by malware, and we will go by it.

a. Many malware leave behind triggering files in drives that restarts the malware in full force once the drives are double clicked. They work by making a autorun.inf file linked to triggering malware file such that every time drive is autorun, the malware is triggered again. Our first priority is to remove such kind of start mechanisms.

Open my computer, go to folder options and enable view hidden files and folder, un-tick hide extensions of known file types & hide protected operating system files. Upon un-ticking hide protected operating system files, a confirmation is asked, confirm positive. Once finished, apply the settings. Now enter C: drive by address bar or by right clicking and explore. You will now see many files that were hidden earlier.

Check presence of any autorun.inf file. Open it by double clicking it (it wont hurt!!) and if readable, check what file was meant to be auto run.

Caution: There are many system files visible that are responsible for booting your system. Do not go on a random deletion spree, lest your system doesn’t boot again!! Some of the system files and folder are:

Autoexec.bat, config.sys, hiberfil.sys, pagefile.sys, IO.sys, MSDOS.SYS, boot.ini, NTDETECT.COM, ntldr and config.sys folder, system volume information folder, recycler folder etc.

Delete the file mentioned in autorun.inf file and also the autorun.inf file itself. Also delete anything like a folder of any name with an .exe extension. Also delete any other .BAT or .COM file other than those mentioned above. Repeat the process for all drives, opening each of them without double clicking them. In event of confusion, take help online, preferably on another system.

Entries at registry are made to make sure that malware executes at every system startup and stays in memory. Use the tool autoruns from sys internals to check start-up keys in registry. It lists all processes and files scheduled to be autorun at startup, in the logon tab. Search and delete any suspicious entries.

Another useful tool is HijackThis from trend micro. This tool lists all non windows processes starting at startup making it possible to have a clear picture of scenario. It has a tool called ADS scanner that can be used to detect Rootkits as well. All such malicious entries are to be simply deleted.

v. Finishing with cleaning all scrap: By this time you will know what had struck you. Search on net for more details regarding the infection and delete its sister files as well. Had there been any entries that were left ignored by you, delete them too, verifying them from net.

Clean all temporary files, type temp, %temp%, prefetch in run command (one at a time!)  and open the locations. Delete all files stored in them. Use Unlocker to unlock any locked files. Delete all cookies and other files in download folders. Go for a manual hunt in documents and settings folder and delete any last traces of infection.

Delete all previous system restore points, since they may be hiding infection.  Keep an antivirus handy. Restart your system now. Check startup time, verify task manager is working and check processes running in it. If all things work fine, congrats!! You just won the battle!!

Any cryptic error messages like file not found means start up entries for malicious code are still present though code is not. Simply run autoruns and in logon tab, search for a entry which has a file missing error besides it, simply delete it. Install a good antivirus and update it. Preferably re-install the web browser too.

Now that your system is malware free, make a commitment to her that now on you play clean, play safe. Keep updating your antivirus and be cautious online, avoid dirty sites, install an antivirus with site advisor, be extra cautious with removable media.

Hope you live happily hereafter!!

Note: A case study- Remove System security fake antivirus.

Due to popular demand noticed, I have posted the specific procedure to remove system security malware manually.

Kill processes:
Open Process explorer and kill the process named 1632575944.exe .  It may also carry some other number as name. Kill it, after you note the location it is executing from.

Delete registry values:

Open registry editor and delete the value. You may need to restore defaults using my restore default tool to enable registry editing and other defaults( Go to home page and download it from downloads section).
%UserProfile%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “1632575944”

Else you can use the autoruns tool and delete this key from logon tab.

Delete files:

Search and delete the following files. You can use windows search too.
1632575944.exe, config.udb, init.udb, English.lng, German.lng, Spanish.lng, System Security.lnk

Delete directories:
c:\Documents and Settings\All Users\Application Data\538654387
c:\Documents and Settings\All Users\Application Data\538654387\Languages
C:\Documents and settings\All Users\Start Menu\Programs\System Security

Reboot and check if every thing is ok.

<< Check this post on pendrive based autorun viruses >>

New generation malware

Though I don’t like telling stories, this one is really adventurous and I suggest you reading it since its about an encounter with a deadly malware and I am the hero!

As I had described in my previous posts, the conventional way  of zeroing in on a virus, seemed to be really apt to me for all kinds. This was the same until I saw new viruses in my college digital library ( I would rather call it virus vault!). They were a breed apart, unlike normal viruses, they didn’t have any visible process running in task manager. This made it really tough to mark their presence in PCs. For a while I was tricked into believing that they didn’t exist on the PC and it had slowed down because of other issues. When I brought back home my pendrive, I noticed a new file U.COM in it, which didn’t execute thanks to my folder autorun.inf which is always present on my pendrive. Now I was sure the virus was present at college PCs, but didn’t have enough patience and time to go back there to try busting it, the place being public in nature.

A few days ago I was at my friends place, whose system gave a whole lot of problems ranging from slow start up, net getting disconnected, and browser hanging with errors. He was pleading to format his system and repartition it to remove any malwares hiding in other drives. FORMAT!!! The word I hate the most! I sat there with determination that its either the malware or me that’s getting screwed, and was able to ultimately fix it. Here is how I did it…..

  1. Opening task manager didn’t do much help since it showed no presence of any suspicious process.
  2. Upon opening a drive, it opened in a new window. This made me certain that some code was being executed prior to opening the drive, marking presence of an autorun.inf file, which will be super hidden.
  3. Initially I tried restoring registry defaults, but it didn’t worked, indicating malware was active and was monitoring registry changes and re-writing the malicious keys if original entries were restored.
  4. Since the only thing I was certain of was presence of a autorun.inf file, I went for the kill. Using killbox,  wrote address of file as C:\autorun.inf and was able to find the file and deleted it. Since killbox takes backup of deleted file in a folder in C: drive, I accessed the file. Opened it by double clicking it ( don’t be afraid, these files wont eat up your system when opened!). I found code to execute a U.COM file on drive autorun. This made me happy since I got another chance to take my old revenge with this guy!
  5. Using killbox, I gave instruction to delete the file C:\U.COM. I was able to find the file and deleted it. I repeated steps iv and v for all drives.
  6. To be certain to delete all files, I searched internet for details on malware named U.COM and was able to find what all files it creates. I deleted,

c:\windows\system32\drivers\klif.sys

c:\windows\system32\olhrwef.exe

c:\windows\system32\nmdfgds0.dll

and delete the registry key-

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run cdoosoft C:\WINDOWS\system32\olhrwef.exe

  1. Having cleaned the mess, I restored windows registry defaults, entered each drive, created a dummy autorun.inf folder and deleted suspicious files as well. Also delete all files that killbox had taken backup after deleting. I deleted all files from all temp locations and using ccleaner, deleted the start up entries of U.COM. Search in registry editor for U.COM entries and delete them all. Usually there are other related entries in the same sub key, delete them too. Restart your system and check if every thing is OK.

The malware U.COM comes in the category of CLOAKED MALWARE, the new generation viruses. They run hidden from task manager, inside a back ground service, like svchost, along with other system processes. They write to other programs virtual memory, also called as process hijacking. They are packed and/ or encrypted to be invisible to our eyes. It is added as a Registry auto start to load Program on Boot up. It creates various files inside system32 folder and also in all drives and alters registry to hide its files from user.

PC slow and don’t see any reason why, beware, you could be a victim!!