More and more, public places (cyber cafes, high schools, libraries, etc.) are becoming real nests for infection. These inadvertently or maliciously infected PCs spread, among other things, infections that attack removable disks that can be plugged into them!
These are infections that are spread by removable media: USB key (most common case), external hard drive, flash card, iPod, MP3 player, camera, etc.
Any removable disk inserted into an infected computer will be infected in turn if the infection is active. In other words, the infection will be done automatically by simple connection if autorun is enabled for removable drives.
Simply opening the workstation and double-clicking on the usb key / external hard drive (re) infect the operating system! The key will in turn infect a healthy PC. And so on ...
- Symptoms of the disease
- Disinfection method
- Case of networked computers
- After cleaning
- How to protect yourself on a daily basis on public PCs?
- Disable autorun for removable media while keeping the media for CD / DVD
Symptoms of the disease
- Double-clicking to open your infected removable media no longer works.
- If you make hidden files and folders visible, you will find that the key will contain several unknown and therefore infected files and processes; do not double-click on them to open them because they will activate the infection, if it has not already been done!
- The key element for the infection to spread automatically from key to PC and from PC to key is file activation by autorun.inf, double-clicking to access files on a key!
Disinfection method
Before using one of these tools, make sure you have closed all running programs and connect to the PC all external devices that could have been contaminated (external hard drives, USB key, iPod ... ), repeat the disinfection operation if there are several removable disks that may have been infected.
Remediate VBS Worm
- Tutorial here
Usbfix
- website
Flash_Disinfector
- Download Flash_Disinfector (from sUBs) to the Desktop:
- Flash_Disinfector
- Note: This program may trigger an antivirus alert: if this is the case, it must be temporarily deactivated, it is a false alert.
- Double-click on Flash_Disinfector.exe to launch it.
- If the key is not entered, you will be asked to connect it.
- When the message: "Plug in your flash drive & click Ok to begin disinfection" will appear:
- connect USB drives and / or external USB devices that may have been infected.
- Then click on OK
- The icons on the desktop will disappear until the message appears: "Finish"
- Then press "OK" to reappear the desktop.
Evosla RAV
RAV is an app that treats viruses and worms found in the roots of fixed and removable drives.
To download it, click here
Disinfect a usb key / removable disk:
- Download Rav
- Connect removable disks without opening them before launching the Fix
- Unzip the archive on the desktop
- Double-click on RAV.exe to launch the tool
- Once RAV is launched, it will automatically scan all drives that may be infected
- If there is an infection, a report will be established, otherwise the software will display the message: "Your computer is healthy"
- Remove removable disks and restart the computer.
Other Tools
Here are three other tools you can use to complete the disinfection:
- The Symantec Tool
- On the desktop, double-click on the FxRajump.exe file
- Then click on Start to start cleaning.
- At the end of cleaning, a window will open to signal the end of the search.
- The FxRajump.log file will be created on the desktop, listing the deletions of files / registry keys.
- The McAfee tool
- Click on "Download v3.xx" to download the file, then launch it.
- If the letters corresponding to the external devices do not automatically appear in the list of drives to scan, add them manually using the "Browse" button to select them.
- Then start cleaning by clicking on the "Scan Now" button.
- Autorun Plasma tool: Download Autorun Plasma
- Download the ZIP file.
- Place its content at the root of your USB key.
Important: Until you are sure you have eradicated the infection, do not open any external drives or devices, otherwise the infection will start again!
Case of networked computers
- For example, the Rjump worm (AdobeR.exe, Ravmonlog ...) in addition to copying itself to external devices, also spreads by using shared folders on network workstations and opens a backdoor (= "backdoor") by configuring without the knowledge of the person, an exception in the firewall of Windows. There is therefore a good chance that the worm has spread to network share files.
- If a PC is on a network, isolate it from the network and check that the shared folders / disks are clean, do not reconnect them until you are sure that the other machines are clean or disinfected too otherwise you risk the infection spreading again!
After cleaning
- To check that there is nothing left on the computer and external media, it is better to run an online antivirus or its antivirus
How to protect yourself on a daily basis on public PCs?
Most public computers, and many private computers, are affected by infections spread through removable disks. To avoid this, a very simple precaution to take is to vaccinate your removable disks. It suffices to create directories bearing the names of the most common infectious files, and especially directories bearing the name autorun.inf, to block the mechanism of propagation of this type of infection. Once these directories are locked in read-only mode, the infection will not be able to overwrite an existing file / folder and therefore will not be able to spread! (Thanks to Gof for this tip ;-))
To do these vaccinations, you can use the following programs:
Panda USB and AutoRun Vaccine
- Download Panda USB and AutoRun Vaccine.
- Install the software by choosing the desired options ("auto-vaccine" for each key as soon as it is plugged in, automatic start of the application, activation of NTFS support, etc.).
- Launch the app.
- Vaccinate your USB media and your PC.
VaccinUSB
http://perso.orange.com/-Gof/DL/VaccinUSB.exe. Il vous suffit de le lancer pour créer des répertoires de vaccination, et vous pourrez ensuite supprimer le fichier VaccinUSB.exe.
- This very practical trick will allow you to keep your USB key clean even when connecting it to an infected PC!
- /! When downloading this program, your antivirus will activate. Don't panic, it's just part of the VaccinUSB code that is incorrectly detected by antiviruses, so False Positive.
Rav d'Evosla
Rav d'Evosla already presented allows you to vaccinate: you just have to start it and choose to vaccinate your pc then restart your pc.
Flash disinfector
Flash disinfector already presented also allows you to vaccinate your pc: if you have launched it, it will transfer the infections found and vaccinate your pc by creating an autorun file at the base of the disk.
Usb-set
Usb-set is a tool that can be used to protect your external media: tutorial here: https://forum.zebulon.com/topic/173063-usb-set-version-151/
Bitdefender Usb Immunizer
- Like previous software, Bitdefender Usb Immunizer helps protect external media from infections.
- https://labs.bitdefender.com/2011/03/bitdefender-usb-immunizer/
EliPen
- http://www.zonavirus.com/descargas/elipen.asp
USB Doctor
USB Doctor allows to vaccinate: see here:
https://usb-doctor.com.malavida.com/
Disable autorun for removable media while keeping the media for CD / DVD
- Microsoft is making an update that enables this feature: update KB 971029.
For more information, see the following page: https://support.microsoft.com/en-us/help/971029
Choose the update file according to your version of Windows.