I am just back from a cyber cafe where I used a usb 1gig flash memory I just installed from portableapps thunderbird, my email program and a note pad to test for a trip I am taking. I went to three cyber cafes. At the second a trojan horse had been installed on my usb.
PSW.generic 5.yia
and doWTP_RESTORE_0.exe
Thus when I went to the third cyber cafe an anti-virus software caught the Trojan. I came home where my anti-virus also caught the Trojan.
EVEN WORSE the USB was not recognized by windows. NADA.. I had to do a format of the USB. It now can once again be written to.
This test was a disaster.. Imagine if I was on the road and had only this USB I would be up XXXXX creek without a paddle.
IDEAS???? HELP!!!!
Visit the Community page
Join our forums
Subscribe to our email newsletter
Subscribe with RSS
Follow us on BlueSky
Follow us on Facebook
Follow us on LinkedIn
Follow us on Mastodon
Follow us on Twitter
Yes this will happen
3 thoughts
1. Always have a good full backup of your drive "before" you go on a trip.
]
[Always a good idea to do this occasionally anyway
2. Install ClamWinPortable [CWP] to your USB drive. Keep it updated. When you go to an "alien" machine make sure the "first thing" you do on that machine is run a ClamWinPortable scan of "Memory".
This could at least give you a heads up to see if the machine has a virus resident when you first plug your drive in. If there is a virus present you could decide whether to continue or not. If one is present assume that your drive could be compromised.
Of course, even if the scan comes back clean, once you start running programs on that machine all bets are off as the programs you run could launch a virus that was not active at the beginning of your session.
Run the memory scan again before you leave the machine.
[Running a full CWP scan of the host is not really a good option. It is ungodly slow, but the active memory scan is not too bad. I ran a full scan yesterday and it took over 2 hours. I just did a memory scan and it took 5.5 min.]
3. When returning to a "safe" machine make sure you run a scan of the USB drive using the "safe" machines AV and a "clean" local copy of CWP or whatever secondary on demand scanner you use [You do have a secondary scanner don't you
2 opinions a always better than one 
] before you touch any files on it.
Good Luck,
And Welcome to Portable Apps
Tim
Things have got to get better, they can't get worse, or can they?
Thanks Tim for the good information. A few questions
1.is this type of virus common on alien machines in cyber cafes? As I will be away from any friendly machines for a few weeks and do need to check email.
2. Are you familiar with this trojan?
3. Can this trojan compromise my files on the usb? That is, gain access to my files and then copy onto the alien host computer to gain access to my email?
4. How can this virus be installed on my USB if I did not open any programs on the Alien host computer?
I use two anti virus on my home computer. I did not use any anti-virus on the USB. I will install as before Thunderbird and Note then the CLAM software and return to the same cyber to see what is what.
Cisco
Cisco,
1. I don't know
2. No
3. That would depend on the Trojan [see 1. and 2.]
4. You Are always running programs from the host machine, it's call the Operating System. Different viruses do different things based on what they were created for. If the virus was written to infect all drives it will infect the USB drive. If it was written look for and "scoop up" information for various file types [e.g. .doc, .txt, .mdb, etc] it can look for them on the USB dirve.
"will ...return to the same cyber to see what is what."
I would be interested to see what happens if the only thing you do is run the Memory scan of the host and then leave. Perhaps it will find a virus but your dive may still be clean if you do nothing else! As I said, it depends on what the virus was written to do.
Good Luck,
Tim
Things have got to get better, they can't get worse, or can they?
Again thanks for your elucidation of these issues. It seems to me that the use I want, to be traveling and using alien cyber cafes presents multiple problems for me.
The issue most devestating was the fact that the USB became unusable. We have not addressed this issue in these discussions. If I carry a back-up, a second usb or a CD/DVD copy, I now have more material to carry and worry about.
Is there a way, after this infection of the Trojan, that I can regain the use of the USB after the infection is cleaned? I was able to remove the Trojan, but still could not use the SUB.
I will go today to the same cyber and use the CLAM anti-virus to see what is up... Could I also look for my files on same the machine????
Thanks to all for your great assistance.
Cisco
that your files are on that machine. Maybe you can get then back by using some undelete tool on you usb drive.
"What about Love?" - "Overrated. Biochemically no different than eating large quantities of chocolate." - Al Pacino in The Devils Advocate
I'd thought I'd present some answers.
"If you're not part of the solution, you're part of the precipitate."
Ryan,
Thanks for the amplification of these issues.
I am most concerned about the trojan sucking up my data... and then the possible nefarious and illegal use of this to gain access to my email.
I changed my password on my server just in case..
Will the anti-virus CLAM stop the infection? Will it stop data from being transfered?
Thanks
Cisco
ClamWin Portable only runs when you tell it to. In the few seconds between the time you insert the USB and when you tell ClamWin to start, the malware may already have done its deed.
You'd need a different kind of AV software if you want it to intercept Viruses before they do damage. The problem is, the more effective of these AV packages require an Admin to install them. But you may find something. They are mostly not free. (The viruses/trojans are probably already running as Admin, so unless the AV software is running as Admin and gets launched first, the virus/trojan will probably disable it. It can get to be a race to see which gets started first and has the more clever authors.)
As for what disables the USB drive: I am guessing that the AV software's efforts to "clean" the drive resulted in it being rendered unusable. Perhaps it was as simple as the AV software still working on the drive when the USB drive was removed, or perhaps it was too zealous in its cleaning and cleaned something important for the drive to function. (Was chkdsk.exe able to see the drive or diagnose its problems?)
The fact that AV software at the third cafe and at home detected the malware means that they were able to read the USB drive. So the data was still there. Either the AV software locked the drive so nothing else could see it, or it tried to clean the drive and rendered it unusable.
Malware can do whatever it wants, mostly. It can make copies of files and transfer them to the organized crime syndicates that sponsor the malware. It can watch while you type in your password, and keep a record of it. It can read the mail stored on the USB drive, or grab the password to your mail server account. It could, if it wanted, simply erase everything on your drive or make it unusable (but they generally try to run unnoticed, because then they can use your passwords before you are even aware you've been compromised, and you'd notice if the USB drive stopped working.) If it is running first, it could prevent software (like your own AV on the USB drive) from running, or infect it.
This is not a trivial problem. The solutions tend to be quite radical, things like booting from a LiveCD you bring with you and only then accessing data on your USB drive. It's likely you wouldn't be able to do that at the Internet Cafe, but if you could, that might be the only practical solution.
MC
ok a clarification... the day i went to three cyber cafes i did not have AV on my USB. I was totally unaware of this problem..
I am just back from the test run at the two cyber cafes. the results are.
the first cyber was clean...
the second cyber has the trojan.... ok when i arrived the computer had not been turned on. i asked for the same computer i used. on boot an AV software ran and said clean..... then I inserted my USB and ran CLAM sure enough the same trojan was there.. I pointed this out to the kid at the cyber cafe who said "WOW" and then he ran another anti-virus.. BOTH showed clean. I took out my usb from the first infected computer and placed it immediately into another computer, sure enough it was infected with the MSO cache file.. Apparently the CLAM stopped the trojan... as itr did not show up...
BUT
On my return home I ran AVG anti-virus, the usb came up clean, but a MSO cache file was there..... The USB cannot be opened by clicking the drive icon.... i can open it from a right click then open command. After removal of the file MSO cache from the USB and then removing from the computer then reinserting I can click the icon and it will open.
So there you have it.
Basically I see myself NOT using the USB portable app as there is no way to stop trojans oir other malware before it begins. I will use WEB MAIL for my accounts. I believe this in the light of this problem is my only safe solution.
Comments.??!!!
Cisco
Net cafes that don't maintain their PCs have been found to have viruses and other nasties that sit around waiting for you to enter your webmail password and then they send that password off to a 3rd party.
Whether people like to think about it or not... there is absolutely no way to be 100% safe when you're using machines that are not under your control. Period.
Sometimes, the impossible can become possible, if you're awesome!
nothing can prevent your data from being copied over to the host pc. Not even an antivirus program or a write protection switch
"What about Love?" - "Overrated. Biochemically no different than eating large quantities of chocolate." - Al Pacino in The Devils Advocate
Well, if the antivirus program can keep the malware from running, the malware wouldn't be able to copy stuff. But if the malware is running when you plug the drive in, by the time you can start some AV software, it could already be too late.
The other thing is, if the data is encrypted, copying it won't cause much harm (assuming strong encryption with a strong pass phrase). Maybe a strategy would be to run ClamWin to see if it detects a virus in memory (and/or on the USB drive) and only if it appears clean to take the risk of running other software or decrypting files.
MC
ok all this is fine.. but what we really have here is a difficult situation if one wants to be portable in the alien world of cyber cafes... i need a secure reliable and easy method to check my email when i am on the road, and this approach of portable apps seems not to offer the ease and especially the security i desire.. all of these suggestions are good and possible but problematic for ease of operation. your suggestion that i check with clam means two usb drives. one with clam and the other with thunderbird. lot of effort.
Only "safe" alternative is to use your own laptop .
From a strict security-view public computers can not be trusted at all .
that is exactly what i do not want to do... i will be on the road, using public transportation and staying at rustic beach cabanans and in crazy locales.. I do not want the weight of a lap or the possibility of loss.... I thought the portable app solution was the way to go but not any more.... seems just to risky..
thanks
cisco
wow. what a horrible scenario.... essentially i am not happy and these portable apps in the hostile alien world of cyber cafes seems to create many many headaches and a trail of my information...
im more worried for my info being corrupted by some maleware then being copied(if i encrypt the whole thing ofcourse).
That's the ticket.
Since it's basically impossible to be completely secure at an untrusted public PC, what you have to do is a risk analysis. It sounds like you've decided that someone copying your files is a risk you can live with, but someone changing (or deleting) is not. Very rational.
But it's an example of how to survive out there. If the risk is too high, it's too high. If there's a way to mitigate it until the risk is acceptable, great.
It is too bad making that risk analysis isn't trivial for people with other things on their mind. I guess that's why the most common advice is "don't".
MC
I won't give the name of it but, there is a program that will dump all the files and email them to you. The thing is particularly nasty.
Too many lonely hearts in the real world
Too many bridges you can burn
Too many tables you can't turn
Don't wanna live my life in the real world
Thats especially neat if you have a 4 gig usb. Whats your guess how long it takes to send all that ???
"What about Love?" - "Overrated. Biochemically no different than eating large quantities of chocolate." - Al Pacino in The Devils Advocate
Well, I will tell you the name, otherwise how are you supposed to
protect yourself against it ? The program is called USB-dumper..
.. and virtually no AV-programs seem to consider it a threat .
1. You can filter what it sends .
2. The stolen files can be zipped/RAR'ed before sending.
If you don't want to haul a laptop around your best alternative
would be to run your apps from a non-writable media like a CD .
There's a howto for ClamAV here : http://sourceforge.net/docman/display_doc.php?docid=28367&group_id=105508
Maybe the same technique can be used on a Flash-drive with a write-protect switch ?
Not quite. USBDumper only copies any USB devices contents to the local hard drive. (Some of us actually use it as a automatic backup.)
Switchblade acts a bit like Slurp, and Hacksaw is a modified Dumper that can mail you whatever you tell it to. One of the fastest/easiest ways to deploy/use these tools is U3...
Anywho, I agree that a CD approach will work. It can be a big pain, though. Also not all apps will run this way.
~Lurk~
If this is going to be of any help, but yesterday I found (and tested) this
If a packet hits a pocket on a socket on a port,
and the bus is interrupted as a very last resort,
and the address of the memory makes your floppy disk abort,
then the socket packet pocket has an error to report
2 other ideas -
1. Encrypt everything on the drive except an AV (ClamAV or whatever) and the program you used to encrypt (so you can decrypt). This way you can scan the computer. And if there happens to be a USB dumper program, all they're gonna get is a bunch of encrypted files.
2. Find a USB that you can partition with the utilities that hide the 2nd partition until a password is entered. Keep your AV on the 1st partition and scan the computer before unlocking the 2nd partition. Encryption is up to you, but I would suggest it.
Obviously a write protected drive is a great addition to both options to prevent any data corruption. You can always eject the drive, unprotect it, then reinsert once the computer is clean.
TrueCrypt is the best option for encryption, but you need admin privs so this unfortunately can't work for you.