Today, after a long period of silence, I write back to my blog to talk about a virus that spread year ago, but re-appeared today in a new variant. The virus is not detected by anti virus like Kaspersky or Avast.
The virus spreads over usb dongle, mainly in copy centers. As a note, I would like to inform you that copy center is the worst place to bring a usb key in the world. Plugging your usb dongle in a copy center PC is just like licking a metro bar. The solution is to host file on a public drive on the web without registration required (you don’t want to loose your credential when loggin-in with them in the copy center)
The virus proxy the files copied on the disk. When you’ll copy a file, they will be marked as hidden and shortcut will be created. The shortcut point to the VBS virus and will then open your files, that’s the way he spreads on the host machine.
Once in place, if you delete the vbs file, he will come back. We’ll see how to identify the process responsible for that, killing it and then cleaning the key.
- First, download sysinternal suite from here.
- Then, unzip and launch procmon.
- Once started, go to your usb key and delete the folder containing the vbs script.
If you don’t see it and only see the shortcuts, you’ll need to enable “view hiddent files” and disable “hide system protected files” in the explorer paramaters. - Once deleted, wait for the file to re-appear.
- Go back to procmon and input the shortcut CTRL+E. That will stop the capture
- Now search (CTRL+F) for the name of the vbs, in our case iexplor, but may differ.
- Write the process id of the entry found in the first columns
- Launch procexp from sysinternals and sort the process by id
- Kill the process you’ve found with procmon (DELETE)
- Now you can delete the files on the usb key and clean the virus.
Another blog lost in the interweb... 