04 May 2007
A new family of worms is spreadsing by copying itself on to removable drives such as USB memory sticks, according to vendor Sophos.
The worms then automatically install themselves when a USB stick is next connected to a computer.
Further reading
'With USB keys becoming so cheap they are increasingly being given away at tradeshows and in direct mailshots,' said Graham Cluley, senior technology consultant for Sophos.
'With a significant rise in financially motivated malware a USB stick could be an obvious backdoor into a company for criminals bent on targeting a specific business with their malicious code.'
The SillyFD-AA worm hunts for removable drives such as floppy disks and USB memory sticks, and then creates a hidden file called autorun.inf to ensure a copy of the worm is run the next time it is plugged into a Windows PC.
As more and more businesses now have strong defences in place to protect against email-aware viruses and malware, hackers are increasingly looking for other less well defended routes, including USB keys, to infect innocent users.
Cluley advises users to disable the autorun facility of Windows so removable devices such as USB keys and CD ROMs do not automatically launch when they are attached to a PC.
Or you could use a condom for your USB :) :)... Well don't take this as a stupid comment. The same principle seems to have been used to create a periferal device that will fit in between your USB and computer that can prevent any virus infection from the USB...
http://www.skipser.toolsbysk.com/p/96/p/general/usb-condoms-to-protect-pcs-from-virus-infections.html
Posted by: Mark 14 Mar 2011
Guys, I do a kind of informal IT support where I work. You do not imagine the amount of these USB worms I have been fighting with. Their modus operandi is somehow simple after you get to know it.
First, for those trying to eliminate it without success, it is because the worm is loaded in memory. If you do not have the nastiest of them (W32/Sohana.W => SSVCIHOSST.EXE), which disables Task Manager, tap Ctrl+Alt+Del go to the TM and look for the likes of antihost.exe, ahr.exe, antimgmt.exe. Stop those processes. Then go to C:\Windows\System32 look for them and delete those same files.
Beware, they have a hidden attribute. Have Windows Explorer show hidden/system files and extensions.
Some of them disable setting the folder options though. Google for:
Ravmon, Brontok, Sohana and you will get info in how to deal with them.
Very Important! Disable your System Restore, or they will keep on replicating.
Go in C:\ and search for a hidden autorun.inf. Rename it autorun.txt, and open it in Notepad. Check which process the autoplay is activating; sometimes it is \recycled\deskinf.pif, sometimes it is \antihost.exe, so remember to clean also your recycle Bin.
There is a Ravmon Removal Tool available in various sites. It is free and effective.
Now, back to W32/Sohana.W, the worst of them by far.
Sohana will disable Task Manager, and editing of the Registry; It will also disable Folder Options, and on top of that it will create a "New Folder.exe" replication of its ssvcihosst.exe fr every folder you have on your USB Flash Disk or External HD. The problem is, those files get a folder like yellow icon, so if you do have checked the incredibly stupid Microsoft default option "Hide extensions for known files" you will be led to think those infected files are folders instead.
AVG has been doing a nice job on catching those viruses on the fly, but so far it cannot detect SSVCIHOSST.EXE, neither can it - of course - fix the damages done in the Registry.
Also, once Sohana is there, it will f... your kernel so that AVG will not even install.
You need the free Regseeker to go inside the Registry and delete the disabling instructions, and you will need the free Killbox to kill the processes if you can't reach the Task Manager
Posted by: Bug Killer 01 Oct 2007
On my previous post I quoted it as SSVCIHOSST.EXE, but a number of its variants may be found, one of them is SSCVIHOST.EXE.
Look for those files and delete them:
C:\Windows\SSCVIHOST.exe
C:\Windows\System32\SSCVIHOST.exe
C:\Windows\System32\blastclnnn.exe
C:\Windows\System32\autorun.ini
C:\Windows\System32\setting.ini
C:\Windows\Tasks\At1.job
Of course, in order to delete them, you must first kill the process SSCVIHOST.EXE in memory, but at this stage you will not be able to access the Task Manager.
Download and Run (no installation required)
http://killbox.net/downloads/KillBox.exe
Kill the process (remove from RAM) SSCVIHOST.EXE (since you are there, if you see AHR.EXE, kill it too).
* Note that not even in Safe Mode you can avoid SSCVIHOST.EXE taking control of your machine.
* Remember also to disable System restore before you start.
Now you will need Regseeker. Download it from here:
http://www.snapfiles.com/get/regseeker.html
Install it, it is quick and simple. Run it (and it does backups of Registry changes for each peration it does).
Search for the following entries and delete them:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Yahoo Messengger C:\System32\SSCVIHOST.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe SSCVIHOST.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NofolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
shared
\New Folder.exe
Now, reboot your system.
* Remember to clean ALL your storage media: flash cards, pen drives, USB HDs, iPods, etc. If your PC was infected BE SURE whatever media you connected to it is also infected and will reinfect it as soon as you connect them.
Always have Windows Explorer show hidden/system files, and delete the "autorun.inf"s you find on your media. (Remeber you can check what is inside, by renaming them "autorun.txt")
Good Luck!
Posted by: Bug Killer 01 Oct 2007
I got the virus from plugging my USB stick to someone's computer. I tried to format my USB stick. It cannot get rid of "autorun.inf". And I tried antivirus too. avg.anti-virus can only recognize "auto.exe",which is generated by "autorun.inf". It comes back in no time.
When I have this virus, sometimes, "show hidden file and folder" option is disfunctional, so I cannot see the virus.
Is any expert can suggest me how to get rid of this virus from my USB stick and mp3 player? Thanks ahead
Posted by: Linda Liu 16 Aug 2007
I bought my Kingston 2GB USB memory stick a month ago, and recently I started to have problems after connecting it to my laptop.
EVERY computer (except my laptop) finds out that I have the Trojan Horse virus exactly in autoun.inf. or E:RECYCLER/RECYCLER
but I can not delete it. Formatting the USB has no effect. I can still copy and
save information in my USB, but some
files are randomly damaged.
How can I solve this problem?
Posted by: Huitzil 26 Jun 2007
Have your say on this article
Newsletters
Latest stories from Security Technology
Latest videos
You may also like
Security Technology jobs
Technology Patent Wars
Staff are increasingly using their personal devices for work. Productivity may increase as a result, but the trend brings with it security risks
Case studies from large organisations across all sectors
... And rich media, and flexible working, and peaks in traffic ...
Upcoming Events
Join us for this Computing web seminar, in which the Head of BI at the Co-operative Group Nick Colebourn will be explaining just how he reigned in the Group’s sprawling database estate and how significant savings were realised and data quality improved as a result.
Date: 31 May 2012
Time: 11:00 AM
Live June 13th 11:00am: Register now. During this web seminar we will be looking at the sorts of incidents that can bring data centres grinding to a halt and what can be done about them.
Date: 13 Jun 2012
Time: 11:00 am
Receive the latest jobs direct to your inbox
Are you being paid what you are worth?
