5

I discovered a file, named autorun.ini on my USB flash drive:

[AutoRun]
;FjYfoT
;jpId UagEbddsb PCjo
oPEn = efhcnu.exe
sheLl\open\DEfault=1
;utvDpsMqpT dDustbemW XyAy WeywFbvaVA eQnK
sHeLL\open\COmmanD = efhcnu.exe
;uRprWb
ShEll\expLore\coMmANd = efhcnu.exe
;kdtrelceNy uEeF gFTf
shEll\autoPLAy\commAND = efhcnu.exe

Both it and the accompanying efhcnu.exe are hidden under windows and are visible only after "Show system files" is enabled.

efhcnu.exe has size 168kB.

My priorities are:

  • identify which computers were infected and what is the damage
  • remove the malware
  • report this incident to the public

enter image description here

How should I proceed?

Community
  • 1
Vorac
  • 1,917
  • 3
  • 20
  • 29
  • 3
    Could you please mail the exe to epsvpeqb@sharklasers.com I have some spare time today and could analyze it for you. – lynks Apr 09 '13 at 10:21
  • you are awesome lynks – open source guy Apr 09 '13 at 10:31
  • @lynks, you are getting it. Maybe I should post a hexdump somewhere online for everyone to see? – Vorac Apr 09 '13 at 10:34
  • @lynks, unfortunately, my antivirus programs, gmail detects the virus and won't allow me to send it. Tonight I will attempt to send you the hexdump. – Vorac Apr 09 '13 at 10:42
  • @Vorac that email address expires in 40 minutes or so, try renaming the file to a .jpg – lynks Apr 09 '13 at 10:43
  • @lynks, it is done! – Vorac Apr 09 '13 at 10:48
  • @Vorac received, thanks. I will post any findings either tonight or tomorrow. – lynks Apr 09 '13 at 10:48
  • 3
    One AV IDed it. W32.Sality.AE; http://www.symantec.com/security_response/writeup.jsp?docid=2008-042106-1847-99 – Vorac Apr 09 '13 at 10:53
  • @lynks, do you have any insights? The symantec page listed some symptoms, which my computers do not have. However, the virus lives on, morphing the executable file's name and affecting other executables. – Vorac Apr 19 '13 at 07:44
  • 1
    @Vorac yeah I had a look, the only symptom that I was able to confirm from the W32.Sality definition was that it generates a random name for itself. It also changes a lot of registry keys relating to notepad, which is not mentioned anywhere regarding W32.Sality. Beyond that I was struggling; it's obfuscated and quite large. I will post my exact findings as an answer later, I'm away from them right now. – lynks Apr 20 '13 at 11:21
  • 2
    @lynks any news? – tbodt Jul 30 '14 at 02:02

2 Answers2

12

Step 1 - Nuke your USB drive. Format the thing.

Step 2 - Nuke all the computers that you have used the USB drive with in the period which you suspect the drive has been infected.

Step 3 - Change your passwords.

Step 4 - Submit the malware to something like VirusTotal. It will ensure that most of the major antivirus vendors pick up on it.

Step 5 - Harden all Windows computers you work with by following guidelines posted by NIST, including disabling all autorun features for all types of media.

Deer Hunter
  • 5,347
  • 6
  • 35
  • 50
  • But how do I know if any of my online accounts are compromised? What about the backups? – Vorac Apr 09 '13 at 10:39
  • 1
    @Vorac Change all your passwords. Treat backups as you would a computer. If it has been in contact with the USB drive in the suspected period, it has to go. –  Apr 09 '13 at 10:45
  • Can you specify which of those publications you're referring to? –  Jul 07 '17 at 21:05
5

You can use a Linux OS (for example Ubuntu) to backup your files from USB and scan them with an antivirus, so you can save your files; then you will must format your USB stick!

Nicola
  • 181
  • 3
  • 1
    Or alternatively, just make a permanent switch to a Linux OS (for example Ubuntu) rendering the virus on the USB stick (and any other Windows malware you come across) impotent. ;) – IQAndreas Sep 04 '14 at 11:43