USB Virus
Prevention
- We expect Symantec will soon provide anti-virus definitions for client machines.
- A Active Directory GPO is being created to stop this from activating.
Computer Infection Identification
A computer infected with this virus will exhibit the following symptoms:
Windows 7
- The following registry key/value will be present:
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Value: REG_SZ: "Adobe Reader Speed Launcher" = "C:\Users\<username>\AppData\<random_filename>.exe"
- A process running under the context of the logged on user will be present. It will be named whatever name is present in the above registry value. Use Task Manager to determine the PID. You may have to add the PID column in Task Manager by choosing the View -> Select Columns menu.
- A network connection from the above PID will show outbound traffic to an IP address on port 6739. This can be determined by running the following from a command shell:
netstat -no
Example output:
Proto Local Address Foreign Address State PID
TCP 172.16.61.128:49546 91.211.117.55:6739 ESTABLISHED 1184
- The virus will be present on the file system in the location from the registry value. For example: C:\Users\<username>\AppData\<random_filename>.exe
Windows XP
- On Windows XP the virus will inject itself into explorer.exe and hide the registry
entry, process in Task Manger, and the file on the file system. You can see the values
from safe mode, but not normal mode.
USB Drive Identification
A USB drive infected with this virus will exhibit the following symptoms:
- An autorun.inf file in the root of the drive will be present. Sample output of this file is:
;??Ėy?z??????fz?ҝՇ?ko?
;r?~?f?khyj???ǜ?z?n?c????˱z?˴??n??????q????o?d??????͓???e?i???k??~?l????d????b??tѱyw?}??Ƌ|lk|ӄҎ????}ne?ӊ?˻?Ϸ?b|????˕léru?Ӌgsp{ш?ѿ?ъp??f{??Ϟ????~??n?????˾s?????|כ???????װ???f??e??v?m??f?~~????????ؑӵ??~?˃???ry?t?????Τ??????Ğ??n?v??????՚֑}??Ȕ?ӝe?~????????????uc?t?~?
;??g???j?a???p?Ғ????q???ԛn?{?f??ϊӮ??j|?bqœ?j?m?ńe?t~?ث??t??????v?Ǚ???
;??̜?ҿ??h~?Ű?ѓ????r?Ƴ?|Ӄ??h?҅?p?ep?????????k?~????p????͕p??՞??oľ?}î?ku???u???n?֪?e???p??z??ķaj??ŕ????k???y??????bf??Ҍ????m?p?}??ũ??Lj?́????z???bg??????w?????ɵ??f???|??shp??̇?|qb???~o?z?q?????̩|??r{uu??g?mx?????q??h???
;??n???dxʔ?m?Ƞ??Οr?Ҙþ????У?e{??n?j?oĊa??|??????w?y?k????du???o??֘?c֣?Ǣz???ӛÈ?m?k?yɔ???s
An autorun.inf that filters out comments reveals the true instruction set:
[autorun]
action=Open folder to view files
icon=shell32.dll,4
open=AdobeReader\DSCI5271.jpg
shell\Explore=Explore
shell\Explore\command=AdobeReader\DSCI5271.jpg
shell=Explore
UseAutoPlay=1
- The following folder and file will be present, which is the virus:
AdobeReader\DSCI5271.jpg
Note: the filename may be different.
- All top-level folders on the drive will have the hidden and system attributes set. This can be revealed if Explorer is set to view hidden and system files.
- The top-level folder names will be replaced with shortcut links. These shortcuts will
execute the virus when the user opens the shortcut, think they are opening their folder.
Removal From Computer
Windows 7
- Open regedit and remove the following key/value:
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Value: REG_SZ: "Adobe Reader Speed Launcher" = "C:\Users\<username>\AppData\random_filename.exe"
- Remove the file named in the value from the file system. There may be multiple .exe virus files in %APPDATA% with a different name, but the same size. Delete those too.
Windows XP
Perform the same procedure as Windows 7, except in safe mode.
Removal From a USB Device
- Delete autorun.inf.
- Delete the AdobeReader directory.
- Delete all .lnk files.
- Remove the hidden and system attributes from the top-level folders. This can be done in Explorer (after setting it to reveal hidden and system files from the View menu.
NOTE: Cornell IT Security has developed a batch file to help clean USB's with this particular
issue and has allowed us to also utilize the program: USB Clean