Saturday, October 20, 2007

A New Virus Infection Method

A new USB virus technique that could compromise your computer. This virus exploits the AUTORUN.INF vector attack.


USB Virus Get Sneaky


A new virus infection method just may well be the most ingenious way to fool people into running the virus. It rigs the default context-menu (right-click menu) to all point to the virus, thereby executing the infection no matter what menu choice you select.

Before this technique was utilized, a safe method to bypass a USB infector's execution is to right-click the USB drive, and select either Open or Explore, making sure both commands are spelled correctly. If either command is misspelled, like Explorer or 0pen with zero as the O, they are usually a sign of a virus infection.

However, the new virus infection method modifies the registry so that the honest-looking, Open and Explore themselves point to the virus execution. This renders the safe method above useless, as selecting any of the context-menu choices will trigger the virus.


Safely Open an Infected USB

To bypass this technique, we shall employ what people who know DOS say as a fastest technique to access a drive - typing the drive letter, followed by a semicolon, and pressing enter in the DOS prompt. Luckily, Windows still follows this tradition. To open a suspected USB drive:



  1. Of course, insert the USB drive. If an AutoPlay window pops up, this is usually a sign of a clean USB drive, but not always. On the AutoPlay window, select the option Open folder to view files using Windows Explorer. If this is the case, Windows opens the USB drive without triggering the infection.



  2. Otherwise, open My Computer without clicking anything. Look for the drive letter of your USB drive. It should look like, Removable Disk (D:). The D: is the drive letter. Type that in the Address bar. After that, press Enter


  3. Your USB drive contents will appear on your screen.
If the Address bar is not visible on My Computer, select Status Bar under the View menu.

With this technique, you will dodged the method of the virus infecting your system. Windows opens the USB drive without executing any other background commands. This is most effective if this is not your USB drive, since you will dodge the virus until you return the USB drive to the owner. Of course, it's your responsibility to alert the owner that the USB drive is infected. But if it is yours, you need to remove the virus from the drive itself, or the problem will persist and infection will spread. For more information on how to remove the virus, check out SonicsoftTODD.blogspot.com


The virus I encountered that used the new technique is called mveo.exe and jay.exe. This virus only changes the title of your Internet Explorer, as far as I know. And this virus infects the root directory of all your drives. This is a new kind of virus that Norton Antivirus doesn't detect yet at the time of my writing. See http://sonicsofttodd.blogspot.com/ on how to remove the USB virus.


So my recommendation, don't insert your USB drive into any computer without examining the computer first. And should you need to use your USB drive on another computer, be sure to scan the drive for viruses when you insert it to your computer. You should also have a good antivirus protection, and make sure you update the virus definitions as often as possible.



Story:
Copyright 2007 Sonicsoft Corporation
All Rights Reserved



Posted by Ran Werkheiser at 11:42

Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)