Flash drive infections - part 2

This is the second part of the article about flash drive infections. In the first part, some methods of protection against this threat were described.
The second part will be more technical, I'll tell you how to perform a few simple checks to determine whether your computer is infected or not.

The telltale sign of this infection is the presence of hidden autorun.inf files on the root of every partition, accompanied with malware files (these may be present elsewhere).
Note: some protection programs will create legitimate, bogus autorun.inf files (or a folder with the same name).

autorun_inf (4K)

I usually use a command line utility (cmd.exe) to quickly check the drive.
For Windows XP: Start --> Run, write cmd and click OK
For Windows Vista: Start, write cmd in the Search box and press Enter

Command line window should appear. Write the command below (or copy and right click --> Paste):

dir /a:h X:\

where X is the letter of the drive you want to have checked.

This will list all hidden files on the drive. If there are no hidden files, a message that no files can be found will appear. This is common for removable devices flash drives rarely have legitimate hidden files on their roots.

autorun3 (43K) dir_ah (52K)

What do we see on above images? Two different flash drives; hidden files on their roots are displayed.
On the first one, there is a hidden autorun.inf file and a fake Recycle Bin. When that flash drive is inserted, and if Autorun is enabled, system will read commands in an autorun.inf file and execute them when that drive is accessed. The commands instruct a system to run a malicious file hidden in that Recycle Bin.
If that infection gets into your system, it will create autorun.inf files on the root of every drive, hide in the existing Recycle Bin or create a fake one, and finally it - will place another file which will run when computer boots up.

The actual location of the Recycle Bin varies depending on the operating system and filesystem. On the older FAT filesystems (typically Windows 98 and prior), it is located in Drive:\RECYCLED. In the NTFS filesystem (Windows 2000, XP, NT) it can be found in Drive:\RECYCLER, with the exception of Windows Vista which stores it in the Drive:\$Recycle.Bin folder.
Source: Wikipedia

On the second image, we can see malware files on the root of that drive. The reason we don't see an autorun.inf file is that malware could not create one - drive already has a bogus autorun.inf file (or a locked folder with the same name), which cannot be deleted using normal methods (Panda's USB Vaccine has such an option). As a result, that flash drive will not infect other computers unless malware files are run manually.
Please note that the root of a drive is not a place for executable files. A presence of hidden files with such an extension as: .exe .bat .cmd or .vbs should make you suspisious.

If your computer is infected with this type of infection (or it has been partially removed), you may notice some strange things happening when opening drives from Windows Explorer. These include errors (that a file is missing; Windows cannot find a file...; ), disks being opened in the new windows or a right-click menu is altered.

Additional reading:
- Flash drive infections - part 1

Published: 10 July 2009