Dealing with virus and worm infected flash drives

Portable flash drives have been a very essential part of our digital life. And this same portable media has turned out to be one of the most potent and easy way for viruses and worms to spread. Almost all flash drives i come across are infected, and the sad thing is that people still don't understand the gravity of such infections and thereby helping in spreading of the worms and viruses.




The safest way to remove such kind of worms and viruses is by using some sort of AV obviously. But there are always that times when the anti virus software is out of updates to detect and remove new malware executables.

And then this is the time, when you are faced with terrible situation.
A) You have some very important data on your flash drive
B) You do not want to infect your computer/laptop or other devices with the same .

Some part of this scenario can be overcome by using some really simple steps(I call it the dummy way), I'm gonna try and list each one properly.But for that we need to understand the way these viruses and worms spread through portable media .How do they GET in ?

Most of these viruses use the mighty "Autorun.inf" way.
Autorun function in windows is used to launch installer and other programs automatically when you insert a CD or flash drive. So basically autorun.inf determines what applications to launch.
And when a new flash drive or CD is inserted, windows scans for any autorun.inf files and if found executes the rest according to the file.

Let's break down an autorun.inf file used by a usb worm executable called algssl.exe which i already discussed some time back(Read it here).


----------------------------

[AutoRun]
open=sal.xls.exe
shellexecute=sal.xls.exe
shell\Auto\command=sal.xls.exe
shell=Auto
[VVflagRun]
aabb=kdkfjdkfk11


---------------------------

This file caused windows to open the sal.xls.exe from the flash drives and which ones in memory spread in all drives you moved to thereafter and wrote an autorun.inf file for the partition, which is why you might be unable to access your partitions.

Good thing about Autorun functionality is that it can be disabled. It can be done using gpedit.msc (group policy editor) or the more traditional way,by implementing changes in registry.
gpedit is only available with windows xp pro, so if you are on a home edition do it the registry way
----
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
------


Save the file as foo.reg and execute it to make changes into registry.

A simpler way is to use the group policy editor

Click on Start > Run and type gpedit.msc
In the Computer Configuration > Administrative Templates > System > Turn off Autoplay
Disable this and reboot, windows won't autoplay any media automatically.


But if you are lazy enough to not to reboot , then coming back to our worst case scenario, once you mounted the flash drive, move to the dos prompt for your flash drive and remove the autorun.inf

For example in my case it's J:



J:/>attrib -h -r -s autorun.inf

J:/>del autorun.inf


Right Click and open the flash drive, copy only files that you think belong to you, be precise in opening every folder with right click instead of a left hand double click, as various viruses have different locations and tricks of spreading, and some often are copied back to most of the folders, so if you directly open the folder you might execute the virus/worm and bring it in memory(after that bye bye our simple ways to get rid of it :P).


Format your flash drive once you are done with your backup. I would suggest removing the autorun.inf for every flash drive you use with your computer(specially if it does not belong to you).



Above all these simple steps, there is one way, the easiest of all. The best of all, an ultimate solution to all your flash drives and malware chaos .
"Use Linux ! or Mac! "

I would try write up something more on how these malware work when inside the operating system soon.