07 August 2009

ASP.NET and AUTORUN.INF et al trojan

I'm sure by now most people have experienced one form of this BackDoor trojan or another. There's a very simple way to remove it, but in my mind it's simple because it's using DOS - others may not find it as useful or as helpful.

The first telltale signs of a trojan-infected USB drive is when you try to open the drive using MS Windows - if you double-click, it won't actually open, but rather prompt you to select an application to OPEN WITH.

To fix this problem is quite straightforward, and here's the concept:
  1. The USB drive has had an AUTORUN trojan infiltrate it, so it won't allow you to open it normally.
  2. The trojan is hidden, sometimes read-only, and sometimes marked as a system file.
  3. The trojan can take many forms, but will usually replicate itself on the drive and if it's the AUTORUN.INF variant, you can see that it will be hidden somewhere else, and activated by the AUTORUN.INF.
  4. You will need to unhide, unread, unsystem the file attributes, and then delete the file. Remove the USB flashdrive, and reinsert. That should be Robert being your uncle.

Here are the steps, in more detail (click here for the screenshot document):
  1. First discover that you have the trojan (either an antivirus will pick it up, or you will experience difficulty when you try to explore the flashdrive)

  2. Then open up a COMMAND window (start-->RUN-->CMD)

  3. Type (flashdrive letter): where (flashdrive letter) is replaced by the letter of your flashdrive (so if it's E: then type "E:" without the ""'s).

  4. Look for any hidden files on the flashdrive ("dir /ah" without the ""'s)
    dir /ah
    If you find too many files listed, then try dir /ah /p

  5. After spotting any hidden files, look for ones that look like ASP.NET or AUTORUN.INF or some funny *.COM files, etc.

  6. Find out those files' attributes (attrib xxx.yyy; e.g. attrib asp.net)
    attrib autorun.inf
    attrib asp.net
    attrib d.com


  7. Next, remove the attributes that are present (e.g. if it reports HR E:\asp.net then you would say attrib -h -r asp.net)
    attrib -h -r autorun.inf
    attrib -h -r asp.net

    attrib -h -r d.com

  8. Then delete the file
    del autorun.inf
    del asp.net
    del d.com

  9. Verify there are no more such files on the flashdrive by searching recursively for hidden files (e.g. dir /ah /s /o /p) and repeat the above.
    dir /ah /s /o /p
    (You should still see some hidden files, but look out for AUTORUN.INF, ASP.NET, D.COM, 6PHX.COM, etc.)

Once done, remove the flashdrive (pull it out), then reinsert. Job should be done!

No comments: