+ Post New Thread
Results 1 to 9 of 9
Windows Thread, USB Flash Disk - autorun.inf - nightmare in Technical; Since staff and students have returned we've had problems where USB flash disks keep creating an autorun.inf which points to ...
  1. #1
    meastaugh1's Avatar
    Join Date
    Jul 2006
    Location
    London/Hertfordshire
    Posts
    893
    Thank Post
    70
    Thanked 85 Times in 70 Posts
    Rep Power
    33

    USB Flash Disk - autorun.inf - nightmare

    Since staff and students have returned we've had problems where USB flash disks keep creating an autorun.inf which points to recycler, which I guess means that a recycle bin is being created on the removable media. The autorun.inf, or what it's try to execute is blocked by the software restriction policy. This makes it pretty awkward for users to access their disks.

    Has anyone seen this, got any suggestions? thanks

  2. #2
    ChrisP's Avatar
    Join Date
    Apr 2007
    Location
    norfolk
    Posts
    150
    Thank Post
    4
    Thanked 8 Times in 8 Posts
    Rep Power
    17

    Re: USB Flash Disk - autorun.inf - nightmare

    it's a trojan, if you get rid of it effectivly let me know how.

    http://www.edugeek.net/index.php?nam...wtopic&t=10847
    http://www.edugeek.net/index.php?nam...wtopic&t=10834

    anyone got any good ideas for preventing infection in the first place?

    I have disabled autorun in registry for all drives that helps
    on writable server shares i have created a fake recycled folder and a empty autorun.inf and locked them so they cant be overwritten to stop it spreading.
    If your using Sophos then you will have to add .INF as an extension to be scanned

    PS. this one is a pain in the ARSE

  3. #3
    meastaugh1's Avatar
    Join Date
    Jul 2006
    Location
    London/Hertfordshire
    Posts
    893
    Thank Post
    70
    Thanked 85 Times in 70 Posts
    Rep Power
    33

    Re: USB Flash Disk - autorun.inf - nightmare

    Thanks for the response, I'm not sure if this is the same issue. This is the contents of the autorun.inf that we have appearing:

    [AutoRun]
    Open= .\RECYCLER\INFO
    shell\Open\command= .\RECYCLER\INFO
    shell\open\Default=1
    shell\explore\Command= .\RECYCLER\INFO
    Does this look like a different issue? ta

  4. #4
    ChrisP's Avatar
    Join Date
    Apr 2007
    Location
    norfolk
    Posts
    150
    Thank Post
    4
    Thanked 8 Times in 8 Posts
    Rep Power
    17

    Re: USB Flash Disk - autorun.inf - nightmare

    different virus same attack vector though

    what antivirus are you using?

    make sure autorun is disabled for all drives to stop it spreading because when it gets on a network share. BLAM all clients reading that share with autorun enabled will get infected

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer]
    "NoDriveTypeAutoRun"=dword:000000ff

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\Explorer]
    "NoDriveTypeAutoRun"=dword:000000ff


    if it gets on a network share then check who the owner of autorun.inf is and that will lead you to any infected machines

  5. #5
    meastaugh1's Avatar
    Join Date
    Jul 2006
    Location
    London/Hertfordshire
    Posts
    893
    Thank Post
    70
    Thanked 85 Times in 70 Posts
    Rep Power
    33

    Re: USB Flash Disk - autorun.inf - nightmare

    I guess I just assumed it wasn't a virus because there was no mention of a file with a .exe extension, but since it's called by open\command it doesn't need one.

    It sounds most like this one, I'll look into it further next week.

    We're using Symantec AVCE ops: but I'll try the Trend Micro online scanner on some suspect machines. cheers.

  6. #6
    meastaugh1's Avatar
    Join Date
    Jul 2006
    Location
    London/Hertfordshire
    Posts
    893
    Thank Post
    70
    Thanked 85 Times in 70 Posts
    Rep Power
    33

    Re: USB Flash Disk - autorun.inf - nightmare

    It looks like our AV is now cleaning this properly (W32.SillyDC as Symantec classify it). The executable on the computer seems to be c:\windows\system32\RUNDLL64.exe in this instance.

  7. #7

    john's Avatar
    Join Date
    Sep 2005
    Location
    London
    Posts
    10,447
    Thank Post
    1,537
    Thanked 1,069 Times in 934 Posts
    Rep Power
    305

    Re: USB Flash Disk - autorun.inf - nightmare

    Im having plenty of this with Sophos at present! Its now decided to finally think that Sunflower Multimedia Science is virus riddled, but when i put it back and manually scan it its clean, but 48hrs later (aka 2 daily scan jobs later) it then decides its virus riddled again! The virus its spotting is about 4 months old as well! and its only just found the blooming thing. I must admit I am getting very fed up with it Sophos at present.

  8. #8

    Join Date
    Jun 2006
    Location
    Belfast, N\'Ireland
    Posts
    190
    Thank Post
    10
    Thanked 9 Times in 7 Posts
    Rep Power
    19
    I've gotten one of these now

    Got it on my admin machine when I found a lost memory stick in a computer room yesturday and was going to check for an owner. Neither AVG nor Kaspersky seem to be able to find it. I'm re-imaging that machine but that doesn't help the memory stick.

    It seems to put an autorun.exe in the recycler and run it from there but when I look in the folder there is nothing there...

    Anyone know of a removal tool for this one.

    Code:
    [autorun]
    open=RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorun.exe
    icon=%SystemRoot%\system32\SHELL32.dll,4
    action=Open folder to view files
    shell\open=Open
    shell\open\command=RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorun.exe
    shell\open\default=1

  9. #9

    Join Date
    Jun 2006
    Location
    Belfast, N\'Ireland
    Posts
    190
    Thank Post
    10
    Thanked 9 Times in 7 Posts
    Rep Power
    19
    Update.

    I eventually tracked this down to a fake version of jusched.exe the java VM but in C:\WINDOWS\ instead of Program Files\Java.

    Having terminated that process I'm no longer getting the file replication.

    For security tho since the autorun.exe on memory stick was never visible to the file system I think I'm going to rebuild my admin machine anyway.



SHARE:
+ Post New Thread

Similar Threads

  1. One quick trick prevents AutoRun attacks
    By ChrisP in forum Windows
    Replies: 0
    Last Post: 29th November 2007, 12:04 PM
  2. Disk-to-Disk-to-Tape Backup
    By enjay in forum Hardware
    Replies: 30
    Last Post: 23rd November 2007, 04:21 PM
  3. AOL nightmare
    By suesmate in forum How do you do....it?
    Replies: 3
    Last Post: 10th July 2007, 11:44 AM
  4. RM Disk to Disk to Tape Backup Solution
    By Chris in forum General Chat
    Replies: 0
    Last Post: 2nd July 2007, 11:14 AM
  5. Disk to Disk to Tape backup. How do you do it?
    By trekmad in forum How do you do....it?
    Replies: 0
    Last Post: 30th May 2007, 08:49 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •