Wednesday, December 02, 2009

Important Alert: USB devices can easily transfer viruses!

Today I'm going to use my blog to help push a message that I think is important. Even though this post is long and techy and only a fraction of you will want to read beyond this sentence, I still think it's worth reading - especially if you are running Windows XP and haven't updated your virus protection software recently.

Over the last few weeks Virus Stompers has been very busy. This is a good thing in that people are finding us and using our services. And for that we thank you. But unfortunately these people are needing our help because there is a very nasty virus circulating right now that is highly infectious, and I thought it might help if I shared what it's about.

Basically, there is a set of Trojan files that are able to embed themselves onto your hard drive, which have the ability to very quickly transfer themselves over to an external USB device such as a thumb drive, SD card or external hard drive. These files are:

trojan.dropper
trojan.fakealert
trojan.agent
And not only will they write to your thumb drive, but they will also write themselves back to any computer you plug it into - instantly! I've experienced this myself. Here's what happened...

The other day a local customer called because his computer had lost the ability to run anything. Because he was unable to access the internet he brought his tower over to our office. Normally in this situation, we will boot the computer up in safe mode, install our virus clean-up programs and fix the problem. But in his case, the virus had worked its way down into his operating system and we weren't able to even run the computer. So, I took the next step, which is to remove the hard drive and scan it from one of our shop PCs instead using special USB cables.

In this case the virus was so new that my own PC's software wasn't even aware of it and it wrote itself onto my hard drive as well, totally unbeknownst to me.

Fast forward to later, after we had finished cleaning up his hard drive and put it back into his tower. I needed to put a file onto his PC so I used my thumb drive to copy it from my (now infected) PC back over to the customer's freshly-cleaned PC - which I had yet to update with the latest virus protection. BAM!!! within 2 seconds the virus was transferred right back onto his PC and I had to do the whole cleanup all over again.

D'oh!

So here's the takeaway lesson for all of you...

If you are running Windows XP (Home Edition or Professional), your PC is set by default to automatically run anything that is plugged into the USB port. Plus, most thumb drives also have a file (that is hidden) called autorun.inf that will automatically run when you plug it in as well. This is why you always see that box open up that shows you all the contents of your thumb drive so you can select which things you want to open. However, the same functionality that shows you that box is also the same functionality that runs the virus. What happens is the virus writes itself to the the thumb drive's autorun.inf program and is programmed to transfer itself to whatever host it is plugged into.

So what should you do?

Delete the autorun.inf file from your thumb drive. You won't be able to see it until you check the "Show hidden files and folders" radio button in Windows Explorer under the Tools, Folder Options, View tab. Deleting this file will prevent your thumb drive from opening automatically when you plug it in.

If you don't want to delete the autorun.inf file from your thumb drive, you should at least use this method of opening your USB devices instead:
Hit the WINKEY+E (hold down the key with the Windows symbol on it and press the "E" key at the same time) to open Windows explorer. Then click on the USB drive from the left hand file tree as opposed to just double-clicking it from the list of drives on the right side panel.
Doing it this way will not run the autorun.inf program (including any viruses resident within it), but will directly display the contents of the drive instead. From there you can open the files you need without the risk of executing the autorun.inf virus.

Turn off the Autorun feature from your PC. Unfortunately, there is not a simple button to check in Windows XP to do this. But fortunately, I've written the instructions here just for you (see Recommendation 1 under Other Recommendations).

Make sure your antivirus software is running, and most importantly - UP TO DATE!

After you have turned off your autorun feature and updated your antivirus software, scan all your external USB devices.

I know this all seems boring and complicated, but this virus is very destructive. In fact, if left untreated it will destroy your operating system to the point that your only option is to reformat your computer and reinstall Windows, which we had to do for one customer just last week. So if this post keeps even one of you from having to go through that, then it was worth it. And as always, please feel free to ask us any questions you have about your PC or viruses in general.

Also, if you want to see our Facebook "tips of the week" that highlight the latest threats and contain helpful tibits such as this, you should befriend Virus Stompers here. In the meantime... stay clean!

9 comments:

Secure USB said...

Using a Secure USB Drive can help you to stop this virus transfer

Jeff said...

Secure USB - Nice. Feel free to send me a few and I'll be happy to review it and hold a contest for my readers for a free giveaway. You can find my email address in my sidebar.

Kathy said...

This is excellent advice. Slightly annoying if you're used to the choice window coming up. But we just instituted this where I work because too many people were sharing their infections when they shared their thumb drives. Problem solved.

Ed said...

Though I appreciate the heads up I can only say that I am glad I know how to reach you should this ever happen to me. I can assure you that I would be unable to help myself.

carlae said...

That is awesome advice....and you didn't charge us. thanks.

Jeff said...

kathy - Yikes! I can see how this could become a major problem VERY quickly for a large network like yours.

ed - You know where to find us!

carla - You're welcome. Glad we help!

Michelle said...

And yep, that's (unfortunately) the reason they disabled the ability to run any external drives on our work computers -- irritating for those of us who actually need to transfer large quantities of files, but ... I get it. Glad to know it wasn't too damaging for you (and that you're busy)!

Babs-beetle said...

Though I am not complacent about it, I am so thankful to be running Macs, for this very reason. I've only recently installed anti virus software, after about five years without any. I thought it wise to be armed just in case ;)

Jeff said...

michelle - Hmmm, unfortunate they had to restrict all external drives completely. This method is safer but still not entirely foolproof if your external drive is infected and you open it the wrong way.

babs - I think it's good you installed the software. The idea that Macs don't (or can't) get viruses is a myth. They are not immune to them any more than a PC is. It's just that people haven't focused on hacking the Mac OS because it's way easier to write a virus for Windows. But it's coming, and antivirus software will eventually be needed for Macs too.