USB Virus/Autorun Virus Identification

Posted on October 13, 2008. Filed under: Viruses | Tags: , , , , , , , , |

The most common form of virus today in college campuses, companies, file-sharing cirlces, and other institutions is the sticky USB pen drive virus.

Virus targets —> USB:\autorun.inf

Virus slows —> The startup of Windows.

Virus stays —> In ‘%windir%\system32\’ (%windir% stands for windows directory eg: ‘c:\WINDOWS’). This is the most common and safest place for the viruses.

Virus hides —> My Computer > Menu Bar > Tools > Folder options (so that the user will not be able to un-hide hidden and system files, so that the viruses won’t get exposed to the user)

Virus denies —> Access to Task Manager, regedit.exe, msconfig(start up configurations), and other admin utilities saying “you don’t have admin privileges” or something like that, even if you are the admin. Also denies the right click & open(and then, you double click, which activates the autorun virus) of the USB drive via explorer, and won’t allow formatting of the drive.

Virus names —> Itself as a camouflaged program that resemble a legitimate Windows process. For example ‘System’ (which is a real windows core process). The virus is named ‘system.exe’ and stores itself in ‘%windir%\system32\’. The fact is, for a common Windows XP user, there is no such program named ‘system.exe’ in ‘%windir%\system32\’ or ‘%windir%’ itself. This virus can be seen running in task manager(ctrl-alt-del) as ‘system.exe‘, alongside the real Windows process named ‘System‘ that has a constant PID 4 with the User Name SYSTEM instead of the real user account name, say jais. Another disguised program that i recently ‘End Process’ed calls itself ‘explorcr.exe’ to resemble the actual XP desktop process named ‘explorer.exe’. There are also stupid and random-letter virus names like bad1.exe, bad2.exe, bad3.exe, dfjhw.exe, uwnwef.exe . So keep a watch on the task manager’s process list.

Advertisements

Make a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

4 Responses to “USB Virus/Autorun Virus Identification”

RSS Feed for Jais’  Weblog Comments RSS Feed

I have this in my USB pendrive. My antivirus (F-Prot) has detected it and prevent it for running (also I have autorun disabled since the last XP format). But I want to clean up my pendrive, what should I do?

Nevermind, already make format (fat32) to the pendrive and make an empty autorun.inf in it with “Just read” property just to prevent further overrides from worms 🙂

you can remove the virus by using captain nemo to see all hidden objects and use unlocker to unlock the folder or file that is not ablw to delete

Unlocker is a great tool that i use in many situations. For those who have not heard about it, it is a software that enables us to remove all open handles to a file, so that we can rename, move, edit or delete it. But i don’t know about captain nemo and it’s funcationality.


Where's The Comment Form?

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: