General Chat Thread, Virus Help in General; looks like i have a little bug on the system wooo
its the hott cold usb virus. i have it ...
21st May 2010, 02:46 PM #1
looks like i have a little bug on the system wooo
its the hott cold usb virus. i have it on several stations (must have) including mine
doesnt to much (as far as i can tell) other that make a usb drive appear as a folder.
any ideas ??? btw i have done a rebuild of all stations in school due to another unrelated problem
21st May 2010, 03:27 PM #2
Disable USB autorun on all machines, upload a sample to VirusTotal to confirm the name/variant of the virus then a quick google for removal instructions. Can't do much if it's coming from an external source eg. infected staff home PC as they'll keep bringing their stick back in infected again - just need to make sure your AV is up to date and catching it properly to remove it.
Only other handy trick I picked up which trips up a lot of USB viruses is creating a folder called Autorun.inf in the root of uninfected drives to 'innoculate' them - not a magic bullet but a lot of the code only checks for a file called autorun.inf to replace and implodes when it tries to remove a folder of the same name. Doing this to one of your own sticks means you can at least plug it into several machines to run a removal tool without having to remember to disinfect between each machine.
Thanks to OutToLunch from:
36Degrees (21st May 2010)
21st May 2010, 04:50 PM #3
That explains why my trick didn't work - I was told to create my own file called autorun.inf!
We have had a few cases of the W32/SillyFDC-AJ worm in school this week which I think was originally brought into school by a PGCE student ("my laptop at home is broken" turned into "my laptop at home is infested with viruses" after a few questions!). That creates an autorun.inf so we always have to use attrib after the main disinfection to remove that file.
22nd May 2010, 11:55 AM #4
Also check for exe files : usually on the root of the USB drive (hidden) called setup.exe or explorer.exe, and again in the root of the C:\ drive. If these exist, there's usually going to be a couple of exe files in c:\windows\system32 - the first called cffmon.exe and the other has a random name. They will usually be 424kb in size though. You can either delete these with a live linux CD or a bartPE bootalbe windows environment or if anyone's interested I've a little batch file which does it effectively all for you, as well as turning off USB autorunning in registry and creating dummy folders in place (as above, autorun.inf and also the .exe files in the relevant places as a double whammy).
If anyone wants it (just a .zip with .reg snippet, the batch file and a couple of exes from the win2k3 dev thingy) drop me a PM. Made life so much easier for me when someone infected the part of our LEA where staff share their resources and favoured virus
By rhr in forum Our Advertisers
Last Post: 15th February 2010, 07:05 AM
Last Post: 24th September 2009, 08:29 AM
Last Post: 10th October 2008, 01:12 PM
By jlr58 in forum Windows
Last Post: 27th June 2007, 08:06 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)