Search
eHelp  

eHelp » Security » Security Awareness Central » Security Advisory: USB Bot

Security Advisory: USB Bot

Choose a category:

• Overview
• Immunize your computer against catching this bot virus from USB devices
• How to Check and Clean your USB Device

Overview

The USB bot is a type of computer virus that has the potential to infect all Windows computers on campus. Macintosh computers running Windows are also susceptible to this threat.

This threat spreads when infected removable devices such as thumb or flash drives, music players, cell phones, cameras, external drives, etc. are connected to the USB port of a Windows computer.

When a bot takes over your computer, the person controlling the bot can download malicious software, steal your personal information and/or use your computer to attack other systems on the Internet. Botnets, a set of computers controlled by the same people, are often operated on behalf of international organized crime, and so these infections need to be taken seriously.

If you have used any removable devices on your Windows computer, there is a reasonable chance your computer has been infected, even if you haven't noticed a difference in how it was running.

If you suspect your computer has been infected and don't think you can check and clean your USB device yourself, contact your local campus technician. If you don't have a local campus tech, then contact the Cal Poly Pomona Help Desk by logging into Web Help Desk (WHD) and submitting a Help Desk ticket (you will need to know your BroncoName and BroncoPassword). If you can't log into WHD, use the help request form.

back to top

Immunize your computer against catching this bot virus from USB devices

By disabling Windows autorun feature, you can immunize your computer against catching the USB bot virus from USB devices.

How to Disable Windows Autorun:

The infection spreads from a USB device to your computer by taking advantage of a Windows feature called autorun.

If autorun is disabled, this virus will not be able to infect your computer from a thumb drive, smart phone, camera, music player or other device that connects to your computer's USB port.

Disabling autorun will prevent software on a CD or DVD from automatically starting up when you insert the disk. You will need to open the drive in Explorer and double-click on the multimedia program that would have normally opened on its own. The protection you gain, however, by disabling autorun should make up for this minor inconvenience.

To disable the Windows autorun feature, see http://support.microsoft.com/kb/967715.

back to top

How to Check and Clean your USB Device

If you are comfortable working at a somewhat technical level, the following instructions will help you determine whether a USB (or Firewire) media device is infected and, if needed, clean it up.

NOTE: Do NOT attempt to examine a possibly infected device on a computer running Windows.

Use one of the following types of system:

• A Macintosh - Make sure it is not running an active instance of Windows under VMware Fusion, Parallels Desktop, etc.
• A PC that has been booted under a different operating system instead of Windows (e.g.: like with a Knoppix CD).
• A Linux system

To safely check and clean your removable media:

1. Use a computer that is not running Windows:
   1. A Macintosh - Make sure it is not running an active instance of Windows under VMware Fusion, Parallels Desktop, etc.
   2. Or, a PC that has been booted under a different operating system instead of Windows (e.g.: like with a Knoppix CD).
   3. Or, a Linux system
2. Connect (insert) the device to be inspected.
   
3. If this doesn't occur automatically, mount the device.
4. Locate a file named Autorun.inf at the root of the device. If you don't find such a file, your device is not infected. Go to Step 9.
5. If Autorun.inf is present, open the file in a text editor.
6. Locate the line that begins with open=.
7. Locate the file that is listed in the "open=" line. Some examples of a malicious file that you might find are:
   1. secret.exe
   2. userinit.exe
   3. system.exe
   4. phim nguoi lon.exe (Variant 1)
   5. winse32.exe
   6. wiseni32.exe (Variant 2)
   7. wab32.exe (Variant 3).
      
      Note: If you find U3Launchpad.exe after open=, your device is not infected. This is a legitimate entry which is needed for U3 devices. Devices using specialized encryption technology may also have a legitimate auto-launch file listed here. If this is the case, do not follow the remaining steps.


8. If the file is malicious, delete the file that is listed in the open= line.
9. Delete the Autorun.inf file.
10. Delete any directory with either of the following names:
    1. RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013
    2. RECYCLED\S-1-5-21-1482476501-1644491937-682003330-1013
11. To help prevent a future infection, create a directory at the root of the drive named Autorun.inf.

back to top

This page was last updated on August 10, 2009.