Virus attack on a USB Flash Drive

As mentioned in my previous Blog, my trusty 2GB SanDisk Cruzer has been subjected to countless virus attacks, so it never pays to let one's guard down when using it in an unknown computer. After writing the last Blog, I knew that it wouldn't be long before I was subjected to another attack, and this turned out to be exactly the case just recently, so I thought I would add an update Blog in the hope that others will learn from my observations.

I am currently staying in Kovalam, in the beautiful state of Kerala, south India, and generally visit an internet cafe every 2 or 3 days. Most of the internet cafes have Anti Virus software installed, but is it up to date, or even working at all? I visited one internet cafe which shall remain nameless, and requested a computer with USB facilities as I needed to save some files on to my USB Flash Drive. The computer was running Windows XP, and had AVG Anti Virus installed, but the moment I plugged in my USB Flash Drive, I knew there was trouble in store...

1/ My USB Flash Drive has a light on the end, which flashes when file-access is taking place. Normally, when it is plugged in, the light might flash once or twice, then stay steady. This time, it kept on flashing for about 15 seconds, indicating a lot of unusual activity was taking place.

2/ When a new device is discovered by Windows 'Plug and Play' software, a message appears on the task bar letting you know that your device has been recognised, and then telling you that it has been installed and is ready for use. What should NOT happen is a message saying that in order for the device to work properly, you will now need to restart your computer. If you see such a message, it indicates that the virus needs to get the autorun.inf file to execute, and that when restarting your computer, this is what will happen. Ignore the message, then, and DON'T restart your computer.

3/ To access the files on my USB Flash Drive, I needed some way of seeing what was there. There are no shortcuts on the desktop to the programs and folders on my USB Flash Drive, so I need to use the standard 'Windows Explorer' or 'My Computer' programs. I thus started the Windows Explorer program, and clicked straight away on 'Tools >> Folder Options >> View' to make sure extensions and files were not being hidden. It came as no surprise, then, to find that there was no Folder Options available at all!! Something was hiding that facility, and without it, I had no way of telling what was happening on my drive. I therefore pulled the USB Flash Drive out of the computer, and told the manager about the virus on his machine. "But Sir, that computer has AVG installed!", he complained. I suggested that he might do a full system scan, and took my business elsewhere.

3 Virus Threats Found

4/ I went straightaway to another internet cafe that I knew in advance had Avast antivirus installed. Plugging in my USB Flash Drive to the new computer, I quickly cancelled the Autorun window when it popped up, just in case the virus tried to run itself, but I needn't have worried, as the anti-virus software got there first, and quickly discovered 3 viruses in the root folder, including the Autorun.inf file that the virus was hoping the system would automatically execute. I took some screen shots whilst all this was going on, so that I could show my readers what to expect.

Tiles-View of Viruses

Notice these 4 folders when viewed in Windows Explorer's 'Tiles-View', the standard on many people's computers. Do they look like viruses to you? Would you click on them to see what is inside? Doing that would start the dormant virus, and cause all kinds of havoc on your computer.

Details-View of Viruses with Extensions Hidden

I've now changed to Windows Explorer's 'Details-View', which is my preferred method of viewing a folder's contents. The folders still look like all my other folders, but two things are different, though. I had clicked on the 'Type' column header in Windows Explorer, to sort the page by 'Types of files', and these 4 folders are no longer with the other folders, but are mixed in with the programs - an instant warning. The other clue that all is not correct is shown on the right of the image - a normal folder has 'Type' set to 'File Folder', not 'Application'. File Folders don't normally show their size, either!

Turning on the 'Extensions' view in Windows Explorer's 'Tools >> Folder Options >> View' now shows them for what they really are: 4 other executable programs. After taking these screen shots, I let the computer's anti-virus software delete them for me.

Back to my hotel, and time to scan my USB Flash Drive properly. I used Avast Anti virus to do a full scan, and it discovered and deleted 67 other new viruses - yes, that's right: SIXTY SEVEN other viruses, not counting the seven already dealt with!! - on the drive, all of which were the Win32:Sohanad-DD [Worm] type. All of these viruses had created an imitation folder within an existing one, so I make no excuse of warning you, my readers, again to NEVER store a program in a folder that has the same name as the folder, or a virus will over-write it. If, for example, you have downloaded a program called 'Neatprog.exe', you should NEVER store it in a folder called 'Neatprog'. My suggestion is to rename the program with its version number - something like 'Neatprog_v2.1.5.exe'. If you then open the 'Neatprog' folder and find a file called 'Neatprog.exe' in it, you should quickly scan the program with your anti-virus software. Don't forget: you can rename any program and it will still run correctly as long as the suffix - the '.exe' bit - is left alone.

If you have any more tips on using USB Flash Drives that you would like to share, or other comments about this page generally, please contact me: the email address is on the Contact page.