Some of you may already know, but those of u that havent heard of darksusb USE CAUTION WHEN USING COMPUTERS AT SCHOOL OR AT THE LIBRARY. So far i have heard that this Trojan originated from mexico. I recently got it from my school while using the computer in my engineering class. I scanned my usb and it was never detected by Norton or Mcafee, so far the only scanner that will remove it is ClamWin that is found on this site (thanks 4 saving my usb) I will tell you what the trojan did to my usb. It started to delete files from my usb (im glad i had backups) then it blocked me from opening my usb. Also it had loaded itself in my computer memory and it made a copy of itself in the C:\WINDOWS\system32 folder. SO in order to remove it follow these steps
1. GET ClamWin
2. update it
3 Go to tools,Preferences, under general tab got to "Infected Files" and select move to quarantine Folder
4. Next go to the Advanced Tab and select the last 3 boxes
5. Next scan your USB then when it is detected make sure to delete it(if u get a message that says "ACCESS DENIED" go to step 6)
6. If u got the above message click on "Scan Computer Memory for Viruses" then delete it from the quaranteen folder.
7. If you have other problems go to http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=2421004&SiteID=17 there is a much more detailed way of removing DARKSUSB.exe
U may be able to just search for Darksusb.exe and delete it, but remember to end its process using the Task manager.
Hope this helps anyone experiencing these problems
Visit the Community page
Join our forums
Subscribe to our email newsletter
Subscribe with RSS
Follow us on Facebook
Follow us on LinkedIn
Follow us on Twitter
Follow us on Mastodon
Follow us on BlueSky
I don't suppose you kept a copy of the program or submitted it to virustotal or that sort of thing? The AV scanners can't detect it if they don't get a copy of it. It's perfectly understandable if you don't, in the heat of trying to get control of your computer back from malware, but if you can keep a copy in quarantine and submit it for analysis, it may help protect someone in the future.
This is an example of why autorun is disabled on many machines. If the USB doesn't autorun when the drive is inserted, the program won't run and propagate to the computer.
There are lots of examples of Trojans or viruses that behave this way. Some USB picture frames (that look like a storage device when plugged in to the computer) came infected this way, and infected the new owner's computer.
MC
"Some USB picture frames (that look like a storage device when plugged in to the computer) came infected this way"
Yeah, read about that at SANS, very scary.
I have since disabled autorun on my machines.
I'd rather launch a menu on my own than risk someone elses drive autorunning with something they didn't know about [or did they ???]
Tim
Things have got to get better, they can't get worse, or can they?
If Windows XP and Vista are the only ones who support autorun from USB drives and both of them have a prompt for autorruning, then who will be dumb enough for launching an app that they don't know?
(This is not related to the trojan, as it may use a glitch on the OS for autoplaying automatically)
Blue is everything.
U3 drives were built with the CD-Rom emulation in order to allow true Autorun, No Prompt. It was a good idea in the beginning but as once it is running it can then in turn launch other programs, and we have seen that some people hack their drives to make use of the autorun functions for things other than U3 I have thought it best to disable it, period.
Tim
Things have got to get better, they can't get worse, or can they?
Yes, its true.
Oh! And it was a good idea to have autorun for CDs like the ones from USB in Vista. Isn't there a way to make the CD autorun to be like the USB autorun is XP? That way it was easier for everybody. I think that there is a registry key that can be changed.
Blue is everything.
They are not launching a program, darkusb is automatically copied to any usb from a computer that has it. you cant even tell you have it because it is hidden, u only know u have something when you start to notice your usb data being deleted or it not being recognized. Idk how far spread the virus is but it probably was put in a computer by someone or it might have gotten in there somehow. the thing that worries me is that if it is on our school computers, i wonder how much data about us students it was able to get (if it even takes personal data)
An eye for an eye makes the whole world blind.
Mahatma Gandhi,
Indian political and spiritual leader (1869 - 1948)
I think you are talking about how an infected computer gets the malware onto a USB drive.
The question is how does it get off of the USB drive onto another computer. There are several ways. One is the autorun/autoplay method. Another is that it infects some program or semi-program on the USB drive, and then when you get the USB drive home, you run that program, which infects your home computer.
The infection on the USB drive doesn't get onto your home computer by osmosis; some program has to run to do it (or the trojan has to convince you that it is a good idea for you to copy the program to your home computer and run it). If the USB drive doesn't autorun, you can run ClamWin against it before you do anything else. Of course that only works if the trojan has been reported to ClamWin and the other antivirus companies; if you are the first ones to see this trojan before the AV companies, then running ClamWin against your USB drive might not help.
It's called a zero-day problem, because the zeroeth day is when the virus is out there doing its worst and the AV companies haven't started protecting against it. In this case it sounds like the 0th day is going on for a long time. Maybe your reporting it will help stop its spread. (See, the zeroeth day is even before the first day ... yeah, you have to be one of those people who understand "there are 10 kinds of people in the world, those who understand binary and those with friends".)
If you are able to grab a copy of it, you might put it into a zip file protected with the password "virus" so it doesn't get executed by accident.
I wouldn't mind having a copy of it to analyze. You could come on the IRC channel to send it to me. Of course, you shouldn't send it to me, because you shouldn't trust people you don't know.
MC
Actually many of my friends in that class have been infected with Darkusb so i guess the next person who i help, i will save the quaranteen so it could be analyzed. Anywho i informed my teacher who knew there was strange things going on with ppls usbs and i told her how to get rid of it. hopefully they scan their whole server so they can limit darkusb from going to computer to computer. or they should have an announcment about it.
An eye for an eye makes the whole world blind.
Mahatma Gandhi,
Indian political and spiritual leader (1869 - 1948)
i remember i read that students had made viruses to deal with trojans.
it would work, by checking the usb b4 it was used and then OKing it. It had to be a simple virus to check the usb b4 windows did anything with it and after it was plugged in (duh).
While it sounds good i am not sure i would trust it though...
Please search before posting. ~Thanks
y would they make a virus to deal with a trojan, cause they would need to know how to get rid of it and even if they do that there is a possibility that it already Duplicated itself somewhere else.
An eye for an eye makes the whole world blind.
Mahatma Gandhi,
Indian political and spiritual leader (1869 - 1948)
ref - Castle Cops forum posting at URL:
http://www.castlecops.com/t215696-DARKSUSB_exe_Trojan.html
-- Upon reading this thread and after doing a little checking on the web, I went ahead and posted above item on Castle Cops as a tipper and for potentially finding out more about this malware. That item points back to this message thread and to the MS forum item, which appear to be the root nodes on the web, to which most other references pointed at time of my quick survey.
-- Castle Cops is a global collaboration forum for working issues related to malicious activities on the net, including viruses, trojans, spam, fraud, phishing, etc. It is a player/crossroads in the web connecting varying centers of effort working to counter malicious activities on the Internet.
-- What kind of response to above posting may ensue is yet to be seen.
---eom
i am going to be removing the virus from one of my friends usb's, so ill save the DARKSusb.exe so i can submit it to norton or mcafee. Just to let u know what i thought would happen to one of my friends usb happened. DARKUSB corrupted his usb, now he has no access to his usb, it doesnt show up or anything on his cpu, also his computer he says is acting funny, so lets see what happens. i hope u all get ClamWin and put it on ur USB for safety measures, u will know if u are infected because ur usb name will say "Applicacion Portabales" or something similar to that. No need to fear because this virus is not widespread yet. I live close to mexico so that might be y our school has gotten this virus. From what i have seen so far is that there are two other Trojans with DARKUSB but id know their names. Hope this helps a little so u know if u have it
An eye for an eye makes the whole world blind.
Mahatma Gandhi,
Indian political and spiritual leader (1869 - 1948)
ref: P-Apps forum item https://portableapps.com/node/11313
titled "Trojan horse Downloader ...."
which refers to http://www.virustotal.com/
-- If you still have a copy of the file, you might try checking with the Virustotal site to see what kind of results you get.
-- From various references in this thread and follow up thread ( https://portableapps.com/node/11530 ), I'm not sure if the malicious software file cited is "darkusb.exe" or "darksusb.exe" (presumably one is a typo).
(NOTE: as of this writing, still no response in Castle Cops forum to item I posted.)
---eom