flat assembler
Message board for the users of flat assembler.

Index > Heap > Virus infection through pendrive really possible?

Goto page 1, 2, 3  Next
Author
Thread Post new topic Reply to topic
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Yesterday I plugged my friend's pendrive to copy a file but while I was searching for that file I found this interesting one:

autorun.ini
Code:
;112313975696452862290195119566
[AutoRun]
;712574670347384894502582843415657647490780800249321916676126713679253892041645777022745460
open=NTsys.exe
;178588367905468579476207005791611954463878646950017674337140980138032278045695232884632423893719321233220524495855369605185128952818923462988526420667519820248102769467913879617117
shell\open\Command=NTsys.exe
;854248149623162821909634582698588957054167985923060460994019986723446333780520518759242259608619785727933937351973238400111655978276394594839071901515
shell\open\Default=1
;859228866756893970223477785475695193799817934486689269379712732582068070769
shell\explore\Command=NTsys.exe
;704590155929326220760619547218607276110490784148803881625645
;7349213361274447938103012274946457535687135535585021694423633478663106681785492486241972071.84854807797819e+015    


The NTsys.exe file shown these interesting results at virustotal.com: http://www.virustotal.com/analisis/5a1ec8db8e8f8fcc4f4b62f9fc86b9e0

Now the question is, when such infection vector works? Because NTsys.exe was never executed in my computer nor in my friend's computer neither, it was not even available at the "what you want to do" dialog when the pen is plugged. Also, I've tried replacing NTsys.exe with another executable just to confirm that it was not the case of a silently execution but once again nothing happened.

I have heard several times about pendrive viruses but, someone have found one that really gets executed automatically as many people say they do?
Post 18 Mar 2009, 15:35
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17287
Location: In your JS exploiting you and your system
revolution
It is definitely possible. Turn off all your autoruns!
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun"=dword:0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000ff
"NoDriveAutoRun"=dword:03ffffff
"HonorAutoRunSetting"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000ff
"NoDriveAutoRun"=dword:03ffffff
"HonorAutoRunSetting"=dword:00000001

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000ff
"NoDriveAutoRun"=dword:03ffffff
"HonorAutoRunSetting"=dword:00000001    
Save as a .reg file and run it.
Post 18 Mar 2009, 15:43
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17287
Location: In your JS exploiting you and your system
revolution
LocoDelAssembly wrote:
I have heard several times about pendrive viruses but, someone have found one that really gets executed automatically as many people say they do?
"Downadup" is the current problem going about, it uses the autorun vector (one of the many vectors it exploits). Also being an admin at login doesn't help your cause. Run as a standard user.
Post 18 Mar 2009, 15:48
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Quote:
"Downadup" is the current problem going about, it uses the autorun vector (one of the many vectors it exploits). Also being an admin at login doesn't help your cause. Run as a standard user.


Oh, admin group users have autorun on pendrives disabled by default?
Post 18 Mar 2009, 15:57
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17287
Location: In your JS exploiting you and your system
revolution
LocoDelAssembly wrote:
Oh, admin group users have autorun on pendrives disabled by default?
Are you willing to take the chance that the default is what you expect?
Post 18 Mar 2009, 16:14
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
I'm just willing to know why it doesn't gets executed if it is supposed to work Smile
Post 18 Mar 2009, 16:24
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17287
Location: In your JS exploiting you and your system
revolution
It depends upon your specific configuration.

Maybe an old program you forgot about or deleted has set the autorun=off?

What do you have in the registry keys shown above?
Post 18 Mar 2009, 16:31
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Code:
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"ForceClassicControlPanel"=dword:00000001
"NoResolveTrack"=dword:00000001
"LinkResolveIgnoreLinkInfo"=dword:00000001
"NoResolveSearch"=dword:00000001
"NoLowDiskSpaceChecks"=dword:00000001
"NoInstrumentation"=dword:00000001
"NoStartMenuMFUprogramsList"=dword:00000001
"NoSMMyDocs"=dword:00000001
"NoSMMyPictures"=dword:00000001    


But my friend's computer has a WinXP I have installed myself a few days ago without doing any custom setting and he didn't get infected neither.
Post 18 Mar 2009, 16:56
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17287
Location: In your JS exploiting you and your system
revolution
LocoDelAssembly wrote:
But my friend's computer has a WinXP I have installed myself a few days ago without doing any custom setting and he didn't get infected neither.
You damn lucky then. I've always had my little USB autorun pop up on other peoples computers to warn them to turn off autoruns. Never once failed for me like you are seeing.
Post 18 Mar 2009, 17:06
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17287
Location: In your JS exploiting you and your system
revolution
Hehe, a thought struck me, maybe you already got the virus and it is now cancelling the pendrive autorun so it won't get a different virus overwriting it. Best you check.
Post 18 Mar 2009, 17:11
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Wait, I now managed to get it executed... Although plugging the pendrive is not enough (the "what you want to do" dialog doesn't offer the autorun), double-clicking the drive on MyPC executes the EXE immediately without even asking me if I trust the program (I'm asked if I double-click the executable).

What it is even worst is that if I do right-click>Open the autorun also gets executed instead of just opening the drive so to enter to it I had to type "F:\" in the path bar (unplugging and plugging again would also worked because I can chose to open the pen from the dialog).

In short it works, just that it is a little less automatic than CD-ROMs.

PS: Obviously the NTsys.exe I'm using is a very safer executable renamed Smile

[edit]BTW, thanks for the info Wink
Post 18 Mar 2009, 17:19
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
It absolutely *is* possible prior to Vista, even right now I am infected by one virus coming from USB pen.

Once I got rid of it (long process, it was hooked on explorer.exe, so I needed to kill it and then restart it, and after that delete it from ~15 places at HDD, started from every possible place in registry). But I forgot to remove it from one usb pen, and now i have it again.

So just for future, disable autorun completely through Microsoft Management Console, I don't remember exact process, but I bet you can easily google it.
Post 18 Mar 2009, 23:30
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17287
Location: In your JS exploiting you and your system
revolution
vid wrote:
So just for future, disable autorun completely through Microsoft Management Console, I don't remember exact process, but I bet you can easily google it.
... Or, easier, just use the little .reg proggy I posted above.
Post 19 Mar 2009, 00:07
View user's profile Send private message Visit poster's website Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
How do you guys even get your USB pens infected anyway? Confused

_________________
Previously known as The_Grey_Beast
Post 19 Mar 2009, 01:40
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17287
Location: In your JS exploiting you and your system
revolution
Borsuc wrote:
How do you guys even get your USB pens infected anyway? Confused
You mean you have NEVER ever, not once, put your USB pendrive into another computer AND you have NEVER ever, not once, put someone else's pendrive into your computer? Don't you have any friends at all? Wink
Post 19 Mar 2009, 02:15
View user's profile Send private message Visit poster's website Reply with quote
rugxulo



Joined: 09 Aug 2005
Posts: 2341
Location: Usono (aka, USA)
rugxulo
revolution wrote:
Borsuc wrote:
How do you guys even get your USB pens infected anyway? Confused
You mean you have NEVER ever, not once, put your USB pendrive into another computer AND you have NEVER ever, not once, put someone else's pendrive into your computer? Don't you have any friends at all? Wink


Damn pendrives these days, never stopping to wear protection, they just stick themselves wherever they want! <bad Dana Carvey impersonation> When I was young, we walked twenty miles in the snow uphill to school ... and we LIKED it!!</bad SNL impersonation>
Post 19 Mar 2009, 04:03
View user's profile Send private message Visit poster's website Reply with quote
Alphonso



Joined: 16 Jan 2007
Posts: 294
Alphonso
rugxulo wrote:
Damn pendrives these days, never stopping to wear protection, they just stick themselves wherever they want!
Some of the earlier pendrives came with a read only switch but they don't seem to do that anymore. Sad
Not so useful if you want to copy from someone else's machine but very useful copying from your own machine to someone else's and if there was something bad on there windows might warn you by complaining about not being able to write to the pendrive. Wink
Post 19 Mar 2009, 06:22
View user's profile Send private message Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
LocoDelAssembly wrote:
Virus infection through pendrive really possible?

You're kidding right? Those little !#@$&% are the most favorite medium of infection nowadays. Virtually every malware out there can infect them and from there, move to other computers. Actually, I'm very surprised everytime I insert my drive in some computer WITHOUT getting infected.
Next time, instead of infecting your computer by opening the drive up, open the command line, open the drive from there and remove any autorun.ini file. Your malware doesn't seem to be like that, but in general, the .exe itself will be hiding in a hidden+system+read-only directory like x:/CONFIG/<user GUID>/<file.exe> or x:/RECYCLER/<user GUID>/<file.exe>. Remove the H/S/R flags using attrib and delete the entire directory.
And do yourself and the world a favor by disabling all autoruns and encouraging people to do that too.
Post 19 Mar 2009, 09:18
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
<3 autoruns disabled from unattended windows setup.
<3 running limited user account on XP (not doing it but I ought to)
<3 Vista + UAC (on my laptop)

Oh yeah, also I use xplorer^2 as file manager, Alt+F1 to navigate drivers - that shouldn't nasties, even if you haven't disabled autorun.
Post 19 Mar 2009, 12:44
View user's profile Send private message Visit poster's website Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
revolution wrote:
You mean you have NEVER ever, not once, put your USB pendrive into another computer AND you have NEVER ever, not once, put someone else's pendrive into your computer? Don't you have any friends at all? Wink
How would it get infected if it's write-protected? You mean you guys don't do that when you access someone's else's computer, more so if it's a PUBLIC computer (as I often do when I want my apps there, not some shitty Windows Explorer or Internet Explorer for instance)? LOL.

As for a friend putting an USB into my computer: I said your USB pendrive, not his. If he infects my computer, you can be damn sure I'll find out before he unplugs it Razz

_________________
Previously known as The_Grey_Beast
Post 19 Mar 2009, 21:52
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2, 3  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.