skip to primary navigationskip to content
 

USB Memory Sticks and Worms

Virus and malware writers are nothing if not creative. The emergence of the pen flash drive (most commonly known as an USB memory stick) has given authors of such software a wonderful new opportunity. USB pen drives can be infected by the simple act of inserting an USB pen drive into an infected machine, using a Windows feature generally known as Autorun. An infected USB stick will then pass the malware onto any machine in which it is used.

The most famous example of this type of pest is the malware most commonly known as Conficker but there are plenty of others.

  1. Such malware commonly exploits MS08-067 and other vulnerabilities, another good reason for making sure Windows PCs are kept updated.
  2. Conficker, and others of this type, infect removable devices and network shares by creating a special autorun.inf file and writing their own DLL file to the infected drive.
  3. Conficker can also spread via network shares.

Dealing with infected machines and USB memory sticks

Many USB sticks have a slider/switch which, like the old floppies, can be set to read-only. Making a USB stick read-only should prevent Conficker infecting it. Or, if you are trying to clean a Conficker infection, read-only mode can be used to copy anti-virus updates and anti-malware executables safely to your infected machine. However the slider is often not very noticeable and you may need to look carefully to find it.

USBreadonly.jpg


The example above, with the padlock symbol, is fairly typical. You will need to remove the device in the usual way (ie stop it) and re-insert it when changing to and from read-only mode. Or, of course, you can use a CD/DVD to upload anti-virus and anti-malware software to an infected machine.

How do I clean an infected USB stick?

Infected USB sticks can be cleaned with the same anti-virus or anti-malware tools used to deal with infected machines. An up-to-date version of VirusScan or Microsoft Security Essentials will normally work well. However you will need to remove the read-only lock to clean the USB stick, so you could potentially re-infect the machine that you plug the stick into if you don't have the right (and up-to-date) software installed. Alternatively you could just reformat the USB stick!

Disabling Autorun

Autorun can enable CD/DVDs and USB pens to start automatically if the Autoplay setting is chosen. If you haven't set the default to Autoplay then recent Windows systems (eg Vista or Windows 7) will ask you what you want to do when you insert a DVD or USB stick, but this is still not very safe. Windows Support recommends that you consider disabling certain aspects of this feature for safety, particularily if you've already been infected.

The Microsoft article explaining How to disable the Autorun functionality in Windows is useful for Techlinks and Computer Officers, but may be difficult for other users. Basically you must:

  1. Ensure that you are up-to-date with Microsoft patches. If you are unsure whether the system is up to date run Windows Update from the Control Panel to check.
  2. Then use Group Policy to change some Autorun settings.
  3. Note that if you have Home versions of Windows XP, Vista or 7, these versions don't allow access to Group Policy. You may need to edit a couple of registry keys. If you have to do this, please backup the registry beforehand.
  4. If you don't feel capable of editing the registry yourself or don't understand what the instructions are on about, you need to ask for help from your Computer Officer or the Service Desk. Making a mistake in editing the registry can cripple your machine.

This Conflicker and Social Engineering page gives a further idea of how such viruses spread. You could also try the free Panda USB Vaccine to disable Autorun.inf on USB sticks and desktop computers which have been infected, and to prevent further infection. However as always use with caution with specialized USB devices.