The Pen-drive Short-cut Virus – Solutions in Context

· Comment
Authors

Introduction

In spite of using public computers with as much prudence as possible, and running, when conditions seem to indicate such a necessity – two anti-virus programs – we have had the misfortune of having our pen-drives infected with the short-cut virus.  This is about the single short-cut version, which hides all files and folders. Our research uncovered several deficiencies in existing articles.  We will not pretend to give the definitive solution to the problem, but we can warn the reader about what special measures might eliminate certain headaches in the future.  That advice goes for everyone.

On a more specific level, we needed to find a way to clean up an off-line computer.  For those who would find such advice unnecessary, this information is kept separate from the first part. We regret that the information is more complete about our failure at removing the virus than about success.

This advice will be especially useful to those who are unable to just go out and spend money on a better solution, and who cannot find WSCRIPT.vbs or similar in the Task Manager, (or “odwcamszas”, or “nkvasyoxww.vbs” using the registry editor) which is the emphasis on most of the pages we have seen.  After 9 months, we found are problem to be a horse of a different color.

What Everyone Needs to Know

It has been observed, once the files and folders were made visible again, that (at least with this user’s computer: XP), trying to rename the folder recovered using standard techniques, or removing the xxx.lnk file (we dare not repeat the experiment to be sure which was the case) caused a (presumed) loss of absolutely all information.  This had to be retrieved with file recovery software.

Unnamed Folder and "Name-of-Drive.lnk", in this case, NOT32G (for a defective device described in "Sure-fire Identification of Fake Pen-Drive

Unnamed Folder and “Name-of-Drive.lnk”, in this case, NOT32G (for a defective device described in “Sure-fire Identification of Fake Pen-Drives)

The results of using the above-mentioned software were telling, in that it was revealed that one or several files on the pen-drive had been rendered totally or partially unusable, as they had been overwritten by the rogue software.

For this reason, we recommend that all pen-drives carry, from the outset, a dummy file of considerable size (let’s say, a duplicate of a good file, to make things easy), so that it will be this unnecessary file which will be damaged, and not something of a more valuable nature. We have been using such files of about 500 megabytes to 1 gigabyte. This value should be based on the size of the largest files one expects to have. (We have some doubts about the usefulness of this idea, but excesssive testing would slow down our drive when eliminating the virus forces a reformat.)

Much of the freeware does not seem to do anything, or at least not what might be expected.  Some of it requires on-line connections. Removal of malware may cause the computer to fail.  We will consider just the programs that claim to protect the USB device.

Autorunexterminator should stop the virus from entering the computer.  We see that it runs continuously if the pen-drive is infected.  If that drive is not infected, but the computer is, in conjunction with the next-mentioned software, we have good news and bad news – on the plus side, the virus will not enter the USB device, but it will still hide the files on an infected device. What it seems to do reasonably well, is keeping a virus within the USB storage device from getting out. Of several thousand encounters, (all filling up an eventually bloated log file with not-too-useful repetitive lines, thus calling for occasional clean-up), it apparently eliminated a potential new infection once. By apparently, I do not mean that the drive seemed to remain uninfected – it wasn’t – but without a better understanding of how this software works, we cannot guarantee that it did not “pretend” to do a clean-up job. On balance, the product seems to work.

An accidental failure to keep a file on our computer (msiexec) from running, in spite of the above two programs being activated, resulted in files being hidden on the flash drive. At least the virus did not actually enter the drive, the proof being that autorunexterminator was not counting any eliminations. MSIEXEC does not seem to have been the infected file, but the means by which it moves into the removable drive.  After 9 months, a better solution was found, but for security, we ourselves will continue to follow the procedures outlined below.

For maximum security, download the zipped version from a trusted site (many are not) and check for a CRC32 of 38130AB4.

BitDefender USB Immunizer, when used on an infected USB device, gives a false sense of security, at least in our experience.  We do not care to see whether it was this software, or the Autorunexterminator which gave the best results when the flash drive was virus-free. Some warnings about this: if it works, the autorun feature is supposed to be permanently disabled.  The reader therefore has a choice to live without autorun, or to attempt to isolate a problem.  At a later date, we will add more definite ideas on what, if anything is happening, but we have seen the installed product disabled by Rogue Killer on our home machine.  A test today on a different machine did not give the same result.  We intend to determine if the both programs are identical.

After more than half a year, we have finally backed up all files of an infected 16 Giga drive, reformatted it, and intentionally infeced the device again, in order to monitor what happens. A device of 64 giga capacity, and with a more malicious problem, was tackled at the beginning of September (2016).  Unfortunately,  no anti-virus program worked, so it had to be reformatted. But we noticed the following with the USB Immunizer: it failed in preventing an infection, because it did not enter into action until it was too late. This does not mean that it is totally useless. If the removable storage device was inoculated before the virus entered the computer, there should be no problem. Our test was conducted by freeing the virus, and plugging in the thumb drive. Unfortunately, if the PC is infected, the virus needs to be neutralized first.

Once we make a backup of all the files on one of the last infected drive, we will be able to test the supposed limitations of an “immunized” item.  [The previous paragraph relates to the test which was promised in the cross-out line.] When a computer is infected, it certainly has not prevented files and folders from being hidden.  Redundantly, we repeat, it has prevented the virus from spreading.

Under any circumstances, if the computer is infected, and not capable of easy cleaning, we do recommend using the above two programs as a security measure.  No evidence has been found that either program is doing anything negative.

Then, to retrieve data (whether corrupted or not), follow the following procedure from a DOS (CMD) window, found under “Accessories”:

attrib X:\*.* /d /s –r –s –h

where X is the drive letter of the problematic device.

Press ENTER after writing the above.

In our image further above, the drive letter is E, so we would have to write:

 attrib E:\*.* /d /s -r -s -h

Wait until the cursor stops blinking. If you have the drive open in Windows, the folder will appear when this process is complete.

[When an infection occurred while running autorunexterminator and the “Immunizer” mentioned above, the above command refused to work for us.  In this case, the solution is to put the following into the root of the infected drive:

attrib *.* /d /s -r -s -h]

Some web sites change the order of these instructions, but this is the traditional way.

DOS / CMD Window. The second use of "attrib" was not necessary.

DOS / CMD Window. The second use of “attrib” was not necessary. To the right, a partial view of the autorunexterminator window, with 129 attempts at infection having been blocked. The counter for autorun.inf deleted has never shown any results. Conclusions may be made from this fact.

You will now have the link, which should not be clicked; a folder with no identification, which we recommend not renaming; some system files, one being desktop.ini, which we have found to be a virus in the past – but not in this case; a file with cataloguing information: IndexerVolumeGuid; and a suspect file, which corresponds with a number that appears on our malware scan. Erasure of the latter is recommended, as a new one will install with every plug-in, contributing to the danger of losing an important file.  It may look something like this – in length and general appearance: {A762EF91-E231-42AB-9677-966D65F4C66B} – in other words, brace brackets with a combination of letters and numbers representing something in hexadecimal notation.  Lest our example should have made any sense, we have changed some of the characters.

Clean-up was a bit late! Files to eliminate marked in the red box.

Clean-up was a bit late! Files to eliminate marked in the red box.

There is a cleaner way of doing this, though inexperienced users may find it a bit intimidating.  Go to this educational web-site, read all instructions carefully (we do not want to repeat copyrighted material), download the ShortcutVirusRemover.bat, use as instructed!  It has the advantage of eliminating the *.lnk file. What we did not find was “hepzhqhojo” – we can add that to our list of WSCRIPT.vbsm “odwcamszas”, and “nkvasyoxww.vbs”.  Surely the developers of the virus are staying a step ahead of us. Who knows, someone who knows the solution may have developed the problem!

Clean-up of the Pen-drive

If your computer is suspect, the thing to do is find an internet café, a friend, relative, or your older computer – if compatible – and recover all the files on the pen-drive, and while they are safely on a different drive, reformat the flash device on the clean computer.

Create a file with a short name, such as a letter. It is here where you will put the dummy file for future malicious files to overwrite  (in our third paragraph of “What Everyone Needs to Know”).  I recommend putting useful folders within this folder (not exactly the root). That is where to put your recovered files, if convenient.

As long as you then use the recommended software (activated prior to plugging in the portable device), you may still need to use the DOS routine to uncover the files every time you plug the device into an infected computer, but at least the drive should be protected from being re-infected.

Special Data Recovery Considerations:  This paragraph refers to backing up of files before reformatting, while further above, our reference was to looking for files which were possible overwritten by the virus.

Many of our files were educational and downloaded at relatively great expense from the internet.  These included dictionaries and text files in foreign languages.  For maximum security, two back-ups were made, as was a cyclical redundancy check for checksums for the original files (directly, or indirectly through zipping with the option to show CRC-32).  We noted the following problems, which readers might like to avoid: (1) a file with a space before the dot, for example, for a file named foo .html instead of foo.html was not transferred in one instance;  (2) a file with unicode characters could not be zipped – in this case, the *.rar extension was necessary; and (3) the check is justified, because some other files were missing for unknown reasons.  If the reader is lucky enough to have either nothing of value, or files which would be easier to replace without monotonously checking the integrity of each one, hours of work would be saved.  On the first drive we backed up, there were 977 files. There are some tricks to checking these more quickly, but that would be material for another article.

No Internet Connection

Our computer was running an out-of-date version of ESET, which nevertheless, by showing which files could not be opened, gave us a clue to where the problem was, as confirmed by anti-malware. Our attempt, though, to fix the minor problem (the one considered safe to repair) was in vain, because the infected file was continuously being changed (or, because we were not on-line).  Reading instructions of some of the programs suggested that they would make changes to the computer, but since these changes would very well touch the very heart of the operating system, it was decided not to go ahead.  A program by Norton absolutely would do nothing without first connecting to the world-wide web.  If you have the original OS software, as well as for all the accompanying programs, and have backed up all your valuable files, you may take the risk of using what works, or just starting from scratch – not a very enticing possibility.  Otherwise, if you are off-line, and need the functioning programs that you have, you will have to accept – until we find a better solution – the constant monitoring of the USB device with the procedures previously described.  At least, the drive will still be readable and writable, even though with a few minutes of extra inconvenience.

Software Used Before, During, and After the Infection

As we are forced to use Internet Cafés, use of antivirus programs prior to opening our mail or other pages, and downloading into our storage devices is mandatory.  Where a clean boot may be considered to erase all viruses.  We then use such antivirus programs as are appropriate.  For safety, we recommend downloading from snapfiles.com, known until the Twin Towers debacle as webattack.com. The latter name has become both unfortunate and irrelevant, but it was catchy.  The only file not from that site which we have recommended is autorunexterminator.

Some web-sites recommend products which are caught by anti-virus software – including other software against malicious programs.  Especially if the claim is made that the software is harmless, we refuse to accept such assurances. If we had run RogueKiller 10 days ago, we might not have used USB Immunizer, but the jury is still out on that product.

We have taken the following products for testing on our off-line computer, all of these are stand-alone, as we wish to affect our computer settings as little as possible:  TDSSKiller, Malwarebytes Anti-Rootkit BETA, Rootkit Buster, Bitdefender USB Immunizer, Emsisoft Emergency Kit (not yet tried at home, but elsewhere), RogueKiller, and Norton Power Eraser (fails to mention need for Intenet connection, so unusable for our immediate purpose).  Some of this software claims to be for advanced users, and we pay strict attention to warnings about what might happen, and refuse to take any non-calculated risks.  Files were retrieved with Recuva, the portable version. [Update: Jan. 30, 2016: CAUTION: Google considered the file dangerous, though two anti-virus programs considered the file safe when downloaded by Windows Explorer from the same web-site, and Google permitted the download from the publisher’s website, the checksum, CRC-32 version, – C7021E89, or a MD-5 containing the strings 1000 and 5999.] Some other product did not give us a correct listing of the (fortunately) few files that had to be replaced on the drive.  This software will allow the user to see which files are damaged.  Some may have been erased a long time ago, and no longer relevant – the user’s memory may serve in deciding if everything is of use.  Be sure to copy the recoverable files onto a drive other than the pen-drive, format the USB-device after recovery of the files, then copy the files back according to the advice given further above.

Immediately after inserting the pen-drive, 20 attempted intrusions of the virus have already been stopped.

Immediately after inserting the pen-drive, 20 attempted intrusions of the virus have already been stopped.

If a virus scan shows that a particular file is infected, and there is some doubt about whether, on a computer with no internet connection, it is possible to erase, and, on condition that it need not be run (check other web pages!, – and sorry for all the conditions), some efficiency may be obtained by writing a batch file to stop the (apparent) rogue application from running.  In our case, it was msiexec.exe, but it seems to be the version which should not be erased.  A batch file was written to use taskkill on a Windows XP Professional machine, but was found not to work without the “/F” switch.

taskkill example

Taskkill running to stop virus-infected file from running

If the computer is slow enough, you might see a message indicating success. Not using the “/F” switch, unfortunately, will give a false sense of security.  Open the Task Manager to be sure that the program has stopped.

taskkill success

Batch file shows that taskkill has completed its function.

Possible translation: ‘Correct: Process “msiexec.exe” terminated with PID 280’.

A fringe benefit was that after a couple of minutes, some other program or programs were seen to have shut down in the Task Manager.

 

A Note on USB Immunizer:

Either the combination of Immunizer and Autorunexterminator neutralized the Immunizer, Immunizer gives false security, or something in our particular unit prevented Immunizer from either (1) not “immunizing” at all, or (2) happily, not giving the negative effects associated with it, namely, not allowing a traditional format. More study is needed. (updated, April 11, 2016)

Improving on the Above:

Quite probably we had tried it before, but it needed updating first: Kaspersky Virus Removal Tool, available free at SnapFiles.  It identified an unseen problem, and it was the solution in our case.  It identified a hidden file, mscwufpi.exe, for which no information has been found.  It was shown as a dangerous item, requiring elimination.  If anyone else has it, the CRC is AC82F48F, MD-5 hash is af927e34e76aaba86fa6b02a3e575f7c, and the size was 79,930.240, quite a large program. Upon removing this, msiexec.exe no longer ran in the task manager. The computer was rebooted, we kept our little batch file from “killing” msiexec.exe, and plugged in our USB stick – not once, but several times.  No new infections were noticed.  Our mission of cleaning the computer without an internet connection was a success.

The malicious program had its extension changed to .txt, and was then tested at an Internet Cafe.  Our usual antivirus program did not detect any problem, but the Virus Removal Tool did, this, in spite of the fact that our usual program is supposedly up-to-date.  On the negative side, it only worked on Drive C:.  Hope this information can help someone.

January 22, 2016, Updated July 13, 2016, September 14, 2016: Paul Karl Moeller.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: