There is this particular ciber cafe whose PCs are infected. When the portable USB device is plugged in, portableapps.com reports that something has installed an autorun.inf.
The USB device has got 3 partitions. Portableapps is installed on the last, while the virus installs itself on the first. Its autorun.inf has some shell commands and also tries to open an exe which it has also installed in root, trying to delete it only works for a minute, then it's back. And the AVG on the PC also alert it as a worm.
Is there something opposite of sandboxie that will shut out installations instead of keeping them in?
Visit the Community page
Join our forums
Subscribe to our email newsletter
Subscribe with RSS
Follow us on Facebook
Follow us on LinkedIn
Follow us on Twitter
Follow us on Mastodon
Follow us on BlueSky
Autorun.inf is disabled in all current versions of Windows. XP sp2 and up. So unless you manually invoke the exe nothing should happen. And since Windows can't see the 3rd partition your PortableApps are safe.
Too bad the AVG on the pc doesn't clean the pc.
Ed
Still don't know what caused autorun.inf programs on the portable. It went on for some weeks. And antivirus on system alerted about it. So system antivirus scan portable?
What if system antivirus is configured to erase files on portable, how can data on portable be protected against that?
If you post the autorun.inf here maybe we can help determine what created it.
As for protecting data on portable from being deleted by AV unless the portable has a switch that makes it read only you can't stop the AV. Backups help. A copy of the autorun.inf named autorun.bak would work for example.
Ed
The autorun.inf had binary content, and it succeeded to delete the file on all partitions now, maybe because I'm not using those machines with infected OS anymore, cause before it took only 15 secs before the files were recreated.
So this means that virus targeting portables can erase and create freely?
What if folders are in sandboxie, maybe changes are only virtual?
Autorun.inf files are TEXT files, they can be opened with NotePad. For example:
[autorun]
icon=Autorun\autorun.ico
label=Ed's USB drive
ACTION=Launch the USB workspace
and
[autorun]
open=Programs\nu2menu\nu2menu.exe
Ed
Yeah, first they were text files with shell commands to open up some other executable. And portableapps reported that autorun.inf was changed.
And I deleted those several times.
Then later portableapps reported the same thing again on startup, I thought there wasn't any left, but now they were hidden. I hadn't used portableapps startup menu some time then, because I thought maybe that was the virus and after bad experience with 'eject USB' plus in some ciber cafès the small icons were disabled, so it couldn't popup anyway, I'd rather not. But there were some updates, so I started it.
And these hidden autorun.inf had binary content.
Now they're deleted, and no alerts since...
autorun.inf files are normally Hidden but work whether Hidden or not.
Glad you've gotten them under control.
Ed
Just got virus again in another shop with public PCs. The autorun.inf contains this:
[AutoRun]
Open=SysAnti.exe
Shell\Open=´ò¿ª(&O)
Shell\Open\Command=SysAnti.exe
Shell\Open\Default=1
Shell\Explore=×ÊÔ´¹ÜÀíÆ÷(&X)
Shell\Explore\Command=SysAnti.exe
And there's an executable file also called SysAnti.exe 50.8 KB
https://docs.google.com/file/d/0B2zq1htyW866YU90cTNwWHZHYzA/edit?usp=sha...
https://docs.google.com/file/d/0B2zq1htyW866X1Boa3JtUXBLMXM/edit?usp=sha...
I guess there are no portable security preventing file access
The worm is on the public pc and infects removable drives as soon as they are inserted and thus before any portable security app is active.
This link describes ways to remove it from the pc. http://blog.teesupport.com/fast-and-effective-way-to-delete-sysanti-exe-...
As for protecting your USB drive try this approach.
1. Create a new, clean, autorun.inf
You can keep all the same entries as the virus one just remove their values. Or replace their values with fake ones.
2. Set the autorun.inf as Read Only.
3. Copy forfiles.exe to the USB drive.
4. Rename the copied forfiles.exe to SysAnti.exe and make it Read Only.
If the worm thinks it's already infected the USB drive it may leave it alone. And if not it may not be able to replace the files if they are Read Only.
It's not a sophisticated approach but it may work for this. The worm can't be too sophisticated if it thinks autorun.infs are still effective. And if the worm recreates the autorun.inf but leaves the renamed file you are still safe. I chose the file I did to be renamed since it is close in size to the SysAnti.exe file. You may chose a different one.
And make sure your personal, work and school pcs have security apps that prevent this from spreading to those systems.
hth
Ed
Sometimes the executable is called something else.
It would be nice if the portable had its own OS, that required login. As it is one can't know whether worms are eating data, since windows apparently only protects its own system files.
Yes, it is possible to have OSs on USB sticks. I have several on mine.
No, Windows doesn't protect only it's system files. Malware is able to corrupt them as well as any other files that's why Windows systems have to run antivirus, antimalware apps to protect the systems.
As for portable OSs, Windows based PE systems have been around for years as has Live Linux systems. Unfortunately neither would be able to run many PortableApps apps. However, Windows 8 can be installed on USB drives. So, with a big enough flash drive and public pcs that the owner allows to be rebooted and the BIOS configured to boot from USB drives, you're in business.
Ed
http://lmgtfy.com/?q=autorun.ini+virus
I've just plugged into a public PC that clearly has the virus because as soon I delete autorun.inf and AntiSys.exe, it just recreates the files on all partitions - I've got six.
SystemExplorer does not find any threat when running its online security check. This is the TASK list:
Image Name CPU PID Mem Usage (K) Security VM Size Discovered Parameters
explorer.exe 1980 29.984 19.576 06/02/2013
ctfmon.exe 2752 3.396 864 09/02/2013
Explorer++Portable.exe 3752 1.016 35.632 10/02/2013
Explorer++.exe 3760 14.272 6.348 10/02/2013
hkcmd.exe 2380 3.560 980 10/02/2013
igfxpers.exe 2404 3.000 728 10/02/2013
igfxtray.exe 2328 3.620 1.064 10/02/2013
RTHDCPL.EXE 2312 23.288 19.904 09/02/2013
Svchost.exe 2020 3.672 1.232 09/02/2013
SystemExplorerPortable.exe 3744 1.016 35.576 10/02/2013
SystemExplorer.exe 3764 13.472 14.908 10/02/2013
SystemExplorerService.exe 3820 5.668 3.920 10/02/2013 /RUNLIMITED
System 4 240 0
smss.exe 684 372 168 09/02/2013
winlogon.exe 756 1.528 6.304 09/02/2013
cp40.exe 1720 13.416 6.080 06/02/2013
lsass.exe 812 6.368 3.928 09/02/2013
services.exe 800 5.888 3.684 09/02/2013
ApplicationUpdater.exe 492 4.640 1.244 09/02/2013
DfServEx.exe 984 3.636 1.416 09/02/2013
FrzState.exe 1844 3.352 1.600 09/02/2013 0 106917 0
jqs.exe 536 1.428 12.160 09/02/2013 -service -config "C:\Archivos de programa\Java\jre6\lib\deploy\jqs\jqs.conf"
MSCamS32.exe 560 6.856 3.620 10/02/2013
spoolsv.exe 1520 5.292 3.492 09/02/2013
svchost.exe 1008 4.848 3.060 09/02/2013 -k DcomLaunch
igfxsrvc.exe 2348 3.240 1.068 10/02/2013 -Embedding
svchost.exe 1164 23.092 13.956 09/02/2013 -k netsvcs
wscntfy.exe 640 2.292 548 09/02/2013
wuauclt.exe 3108 6.648 6.472 09/02/2013 /RunStoreAsComServer Local\[48c]SUSDS40fd70326294824e838ac87d966ee8de
wuauclt.exe 3400 5.292 5.624 09/02/2013
svchost.exe 664 4.716 2.668 09/02/2013 -k imgsvc
wmiapsrv.exe 160 4.424 1.876 09/02/2013
YahooAUService.exe 704 7.348 5.132 23/02/2013
I tried to shut down ApplicationUpdater and YahooAUService but the system does not allow it.
a long time since i have encountered the problem
i had always thought that it was the usb and just formatted the usb and that usually solves my problems
i'm not wierd, i'm just different
it had happened on my usb's before i had installed portableapps and a few times after but nothing recent though
i'm not wierd, i'm just different
plug in ur usb stick to ur pc and run this program
and follow on screen instruction
http://flash-disinfector.en.uptodown.com/
it would not even detect the usb
no app that i tried that was recommended acctually worked
i'm not wierd, i'm just different
Serious? 129 KB and it does not seem to do anything... Another virus?
i have a 32 gb usb that i got from a store, just weeks after i bought the usb they no longer sold the usb and also the usb became write protected and raw file format
i spent a good deal of money on that usb(no exact number for financial reasons) and it all went down the drain.
life sucks when things don't work!!!!!!!
i'm not wierd, i'm just different
But, if you buy a good brand USB when it becomes write protected you write to the manufacturer and get an RMA for a new one. So no money down the drain. Time yes but not money.
Ed
I found this: http://www.pandasecurity.com/homeusers/downloads/usbvaccine/
And it prevents autorun.inf from being created in a different way, because there is no hidden autorun.inf directory to see. But it doesn't prevent another executable like AntiSys.exe from being created.
I tried it on the infected PC but even after the PC is vaccined, it still creates AntiSys.exe on all partitions.
Btw. after I uploaded those example of the virus in google documents, they closed one file, and if you try to access the other one it will close down your browser complete. plus they locked the account so I can't access the youtube account anymore.
"I uploaded those example of the virus in google documents"
And now we see how virii spread.
Ed
About the mentioned pandasecurity: it actually adds a virus itself: http://www.youtube.com/watch?v=Bl03ZjBtx-U
Pandasecurity USB vaccine installs a hidden autorun.inf on NTFS partitions, that makes that partition appear as "Local disk" - instead of whatever label it has been assigned - in explorer. And if you´d like to use autorun.inf yourself for fx icon=.... label=... you can´t.
And the virus is, that Pandasecurity USB vaccine can be setup to do this automatically to plugged USB devices, so if it is installed to a public PC, every one plugging in will get this nuisance.