flat assembler
Message board for the users of flat assembler.

Index > Heap > Virus infection through pendrive really possible?

Goto page Previous  1, 2, 3  Next
Author
Thread Post new topic Reply to topic
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko
I work in a cellphone house, and many times I need to connect the phone to the pc as a flash drive. 10% of the phones are infected. As here are no antivirus, the pc gets infected Razz.
In windows, the virus hide all the hidden files and system files. Its imposibile to turn on the show hidden files option.

Very easy too clean, just using hijackthis and cmd to delet hidden files.

You can know that you are infected just by opening the C or D drive in MyComputer with doubleclick, if its open in a new windows and the settings are set to open in in the same windows.
Post 21 Mar 2009, 13:35
View user's profile Send private message Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
Enko wrote:
In windows, the virus hide all the hidden files and system files. Its imposibile to turn on the show hidden files option.
That's only if you use the shitty Windows Explorer Razz

_________________
Previously known as The_Grey_Beast
Post 21 Mar 2009, 15:45
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
BTW, a half-way solution to this problem exists? After applied revolution's reg settings the dialog box asking my what I want to do with the pen no longer appears and that one was safe (with the autorun.inf provided in this thread at least).

There is no setting such that it is safe to double-click the volume in MiPC but still having the initial dialog when a pen is plugged?
Post 15 Jul 2009, 21:51
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
Borsuc wrote:
Enko wrote:
In windows, the virus hide all the hidden files and system files. Its imposibile to turn on the show hidden files option.
That's only if you use the shitty Windows Explorer Razz
Not if the hiding is done using rootkit techniques.

_________________
Image - carpe noctem
Post 15 Jul 2009, 22:42
View user's profile Send private message Visit poster's website Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
What? You don't even need the "Show Hidden Files and Folders" if you use a different File manager because the option is in Windows Explorer. I use Total Commander and I can see all system/hidden files. (ok I set it to not show super-hidden ones... Razz)

_________________
Previously known as The_Grey_Beast
Post 16 Jul 2009, 01:53
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Borsuc, but rootkits can go even further and filter some files from being listed by the Windows API which your file manager surely relies on (and could go even further and filter the files enumeration at FS driver-level too or simply hook the system calls and filter there).
Post 16 Jul 2009, 04:12
View user's profile Send private message Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
I disabled the AUTORUN freature to my pc so infected pendrives can't be executed and then can't infect my pc.

To disable AUTORUN freature you have to:
1) goto START and press RUN
2) digit: GPEDIT.MSC and press enter
3) go to amministrative models --> system --> Disable autorun
4) click to ACTIVATE (means activate disable freature)
5) select: ALL UNITS or ALL DRIVES.
6) Do the same to local computer and local user configuration (both)

Now if i insert an infected pen-drive, the virus can't run itself.
Also i assembled a program that:
1) wait until a removable media is inserted.
2) if there is the file AUTORUN then read it and find the command open
3) erase the autorun executable from the open command.
4) erase the autorun file.
5) RESULT: the virus is F***ED OFF.
Post 16 Jul 2009, 07:55
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
I'm agree with LocoDelAssembly.

For EXAMPLE:
The last Virus Bagle (or BEAGLE) that infected my PC hides himself using a driver called SROSA.sys.
the driver hook many NativeApi the NT kernel uses to manage directoryes.
When ANY program require a list of present files into a specified directory,
the hook driver erase any refers to virus file modules, so the system call return value is a list of files without virus files.

But the Bagle virus writer is an IDIOT because he forgot people can disable virus driver by erasing the registry key (driver autostart) and, after reboot (plug off so the virus hasn't the time to check driver), kill virus processes very fast (with task manager) and erasing their executables.

"INSERT THE BRAIN THERE"
For Bagle virus writer Razz

Write better code next time, fool
Post 16 Jul 2009, 08:03
View user's profile Send private message Send e-mail Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
How the hell do you manage to install a DRIVER without you knowing?

_________________
Previously known as The_Grey_Beast
Post 16 Jul 2009, 18:59
View user's profile Send private message Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
Borsuc wrote:
How the hell do you manage to install a DRIVER without you knowing?
By opening a website in IE
Post 16 Jul 2009, 22:57
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
Azu wrote:
Borsuc wrote:
How the hell do you manage to install a DRIVER without you knowing?
By opening a website in IE
Or firefox, for that matter - some of the biggest exploit vectors right now are java and flash. IE on a Vista machine running in low-privilege mode should actually be a bit safer than firefox against those exploits.

_________________
Image - carpe noctem
Post 17 Jul 2009, 04:24
View user's profile Send private message Visit poster's website Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
f0dder wrote:
Azu wrote:
Borsuc wrote:
How the hell do you manage to install a DRIVER without you knowing?
By opening a website in IE
Or firefox, for that matter - some of the biggest exploit vectors right now are java and flash. IE on a Vista machine running in low-privilege mode should actually be a bit safer than firefox against those exploits.
Only if privilege escalations weren't so easy.
Post 17 Jul 2009, 04:28
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
computerex



Joined: 02 Dec 2007
Posts: 7
Location: Florida
computerex
Just a couple days ago I found my computer acting weirdly, I kept getting an error message, "Exception processing message parameter...". Apparently some program was attempting to access some disk. I did an anti-virus scan, and apparently I had W32.virtob.gen.12. I was planning to re-install anyway, so I just re-installed XP on my xp partition. Everything seemed to be going fine after the re-install. Only after a couple hours however, I started having the same issue. Then it hit me...The virus probably propagated to my storage partition. So I just booted in my linux installation, and cleaned the storage partition/XP partition from there. However after the disinfection/removal of certain files, the XP installation became very unstable, so I ended up re-installing again. Everything *seems* to be going OK now. Very Happy Stilling waiting to see.
Post 19 Jul 2009, 22:21
View user's profile Send private message Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
In this period there're some viruses that can infect PE executables like win32.Vitro.
These viruses can infect the most part of entire system executables.
if only if you do a complete PC scan you get out from their infections.
A single infected executable (that you forgot) can reinfect all PC.

They can become as nightmares! Mad
Post 20 Jul 2009, 17:47
View user's profile Send private message Send e-mail Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
Wow, there are now viruses that infect PE executables!?

Thanks for the heads up! Smile
Post 20 Jul 2009, 20:33
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
Also Win32.Vitro virus inibits internet explorer to open some anti-virus web sites...
Post 21 Jul 2009, 08:21
View user's profile Send private message Send e-mail Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
f0dder wrote:
Azu wrote:
Borsuc wrote:
How the hell do you manage to install a DRIVER without you knowing?
By opening a website in IE
Or firefox, for that matter - some of the biggest exploit vectors right now are java and flash. IE on a Vista machine running in low-privilege mode should actually be a bit safer than firefox against those exploits.
Shouldn't the "unsigned" message pop up? Smile
Also, in Firefox, there's NoScript...

_________________
Previously known as The_Grey_Beast
Post 21 Jul 2009, 19:02
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8902
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
just wanna know, is there any proved solution for such problem, virus that propagate through sd card, pen driver, internet and etc??

antivirus? or ?
Post 05 Dec 2009, 10:24
View user's profile Send private message Reply with quote
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak
You could delete your autorun file on it, disable autorun, and flip out if you ever see an autorun file on your usb drive...

Though, to add to the ancient discussion... The only thing that ticks me off more than a virus trying to spread over my USB drive is an antivirus deleting my fasm on my usb drive...
Post 05 Dec 2009, 10:42
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Quote:
ust wanna know, is there any proved solution for such problem, virus that propagate through sd card, pen driver, internet and etc??

Pirata Derek already told you: disable autorun
Post 05 Dec 2009, 11:42
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.