I found this simple technique albeit not the total solution to common USB infections, create a folder called "autorun.inf" on all your root drives and make it read only. that way u can defeat most of the autorun viruses since the file structure of windows will not allow a file and folder of same name to co-exist. The safcom modem can also be used as a flash drive because it has a slot for micro sd card. Regards, Charles On Thu, Apr 15, 2010 at 2:55 PM, aki <aki275@googlemail.com> wrote:
Early Monday I got a call from a close friend who was quite freaked out about his laptop acting up. Normally I avoid such things due to time constraints and told him to get intouch with his supplier/repair person as it seemed like a virus/worm issue. He had too much stuff on his machine which was backed up but the backup drive no longer showed the default icon when plugged in and was intermittent displaying its stored data and he was willing to wait.
Anyway, I got the laptop and checked it out. It was an WinXP SP3, all updated well and well looked after. The Anti-Virus was also updated. The usual online scans showed nothing while bots/malware came up with a trojan results. I looked at the results and started out on the file checks. Under windows folder there were 6 Dos files that looked unusual. They all the same name expect that their last ending word was similar to drives found on the machine. This gave me a clue that most likely a USB disk was the cause of the trojan. I also checked the system processes and a contant process kept on pushing the cpu to 30-40%. I could not trace the source of this to a known installed file/app. This process was being called from the registry and prefetch. Followed the usual steps, cleared out in safe mode etc. Done! I also cleaned the auto run file on the external drive and gave the laptop back as it was fine. ( I should have known better.... )
What started out as a cleaning exercise turned out to be something else. The laptop was back in a day! What? Further checks showed local accounts in the machine were affected and each one was running a different instance of the trojan process . There was no info online about the trojan exe files and processes because it changed name each time. More online or local scans would not pickup anything but the cpu process was acting up again. This time I cleaned the registry, system32 and statup process manually and stabilized the cpu resources. I found a few files that the trojan was attaching and removed them from each account.
While working on the above, I called my friend and asked him to explain what happened i.e did he plug in any usb device etc. He loaned out his safcom modem to another friend. When he got it back, he used it to check his emails while backing up some files on the external hdd. The machine started acting up immediately. When I returned the laptop back to him, he had used it again while also using a card reader to download some files off a card. So all this was starting to make some sense. Safcom modem, ext card and ext drive are all seen as usb disks by the system. So everything pointed to USB disks. I told him to bring all the disks he had and found each one to be infected. I could not find anything on the Safcom modem. I cleaned out all the other devices and the machines was stable.
A lingering question remains : Since the Safcom modem was the only device that has been loaned to another machine, could it have been the carrier of the trojan? A word of advice to those who move USB devices between machines, ensure your computer and the other computer are updated and clean before sharing data.
Post new bytes next week.
Rgds. _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke