The first telltale signs of a trojan-infected USB drive is when you try to open the drive using MS Windows - if you double-click, it won't actually open, but rather prompt you to select an application to OPEN WITH.
To fix this problem is quite straightforward, and here's the concept:
- The USB drive has had an AUTORUN trojan infiltrate it, so it won't allow you to open it normally.
- The trojan is hidden, sometimes read-only, and sometimes marked as a system file.
- The trojan can take many forms, but will usually replicate itself on the drive and if it's the AUTORUN.INF variant, you can see that it will be hidden somewhere else, and activated by the AUTORUN.INF.
- You will need to unhide, unread, unsystem the file attributes, and then delete the file. Remove the USB flashdrive, and reinsert. That should be Robert being your uncle.
Here are the steps, in more detail (click here for the screenshot document):
- First discover that you have the trojan (either an antivirus will pick it up, or you will experience difficulty when you try to explore the flashdrive)
- Then open up a COMMAND window (start-->RUN-->CMD)
- Type (flashdrive letter)
: where (flashdrive letter) is replaced by the letter of your flashdrive (so if it's E: then type "E:" without the ""'s).
E: - Look for any hidden files on the flashdrive ("dir /ah" without the ""'s)
dir /ah
If you find too many files listed, then try dir /ah /p - After spotting any hidden files, look for ones that look like ASP.NET or AUTORUN.INF or some funny *.COM files, etc.
autorun.inf
asp.net
d.com
6phx.com - Find out those files' attributes (attrib xxx.yyy; e.g. attrib asp.net)
attrib autorun.inf
attrib asp.net
attrib d.com
etc. - Next, remove the attributes that are present (e.g. if it reports HR E:\asp.net then you would say attrib -h -r asp.net)
attrib -h -r autorun.inf
attrib -h -r asp.net
attrib -h -r d.com
etc. - Then delete the file
del autorun.inf
del asp.net
del d.com
etc. - Verify there are no more such files on the flashdrive by searching recursively for hidden files (e.g. dir /ah /s /o /p) and repeat the above.
dir /ah /s /o /p
(You should still see some hidden files, but look out for AUTORUN.INF, ASP.NET, D.COM, 6PHX.COM, etc.)
No comments:
Post a Comment