- The flash drive opens as a windows 10 shortcut. The virus creates a flash drive shortcut on a flash...
- When bring a flash drive with a label in the root, you need
- Treatment of the virus from the reader (The method does not work. Ed. From 10/02/2015)
- What to do if folders have become shortcuts? Step-by-step instruction.
- Remove the virus from startup
- Why such viruses rarely notice antiviruses?
The flash drive opens as a windows 10 shortcut. The virus creates a flash drive shortcut on a flash drive.
At work, an interesting virus crept into computers. He creates a flash drive shortcut on the flash drive itself, and when a person connects such a flash drive, he thinks that it is a harmless glitch and runs the shortcut. And the shortcut in turn executes the malicious code recorded in the properties, and then only opens the folder with the files to the user. Antivirus software proved to be powerless, I decided to try to fix this trouble myself.
The virus spreads only via USB flash drives. So, if you go to Google with a request. The virus creates a flash drive label on a flash drive, we will see special threads on the forums (an example of a theme on cyberforum.ru (http://www.cyberforum.ru/viruses/thread970282.html )), where people are asked to remove this nonsense. To eliminate the virus that creates a flash drive shortcut on a flash drive, you need to send computer scan reports, then follow the recommendations of the gurus and that's it. What to do if the entire park was infected computer technology ? It is very expensive to send a report on each PC, because Not all employees can do this. Yes, and treat flash drives without exception, too, all hemorrhoids in time. Alternatively, I decided to try to study this virus on my own. To do this, install virtual windows in VirtualBox, infected it with an infected flash drive. Now I am looking for a universal and easy way clean computers from the virus that creates a shortcut to a flash drive on a flash drive, and also protect the system from infected usb media.
Protection Considerations
Open the contents of a flash drive to bypass the launch of a malicious shortcut.As I said earlier, the virus spreads only through usb devices by running executable code from the shortcut properties. To open all hidden files, you can use the following script: attrib "*" -s -h -a -r / s / d Save it as run.bat and keep it handy. Disable autorun USB devices To disable autorun USB-stick and CD-ROM, you must edit the registry 1. "Start" - "Run" and write "regedit"; 2. open the path HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies 3. Go to the Explorer section, and if not, create new section and rename it to “Explorer” 4. In the “Explorer” section, create the key NoDriveTypeAutoRun and enter the value of the key 0x4 to disable autorun of all removable devices.
When bring a flash drive with a label in the root, you need
- copy run.bat to the root of the flash drive and run it;
- after which we will open many invisible files, including a folder with an empty name, where the virus has downloaded all the files;
- open up free utility from Microsoft Process Explorer and find through CTRL + F a link to autorun, we complete this process;
- it now remains to remove from the root all files except this folder.
- go to the folder and move its contents to a higher level, i.e. to the root of the stick.
That's all that I have. I hope to soon please fresh information
Treatment of the virus from the reader (The method does not work. Ed. From 10/02/2015)
UsbFix program helped (LINK_REDDED) Download latest version and press the merciless "Clean." Carefully, cleans all unnecessary from startup. Thanks a lot! I think the information will be relevant for visitors! Note from October 2, 2015: deleted the link to the program. Now there can not download it, but there is an eternal redirection from one site to another. By the way, we have this virus somehow gradually died. They all copied to themselves the script that he wrote above to check the flash drives, each time they were cleaned and checked. And from people who always bring infected devices - they refused to take them. And so won this infection.
The situation looks like this: there were folders on the flash drive, but they miraculously turned into shortcuts, i.e. to files with the lnk extension. When you try to open such a file, a message appears:
AT in this case "Q" is the name of the removable disk (flash drive), you may have another one. The label directs us to the folder with the executable file (extension exe), which is a virus.
What exactly happened: as a result of the virus, all the folders were assigned attributes "system" and "hidden", i.e. they remained on the flash drive, but we cannot see them using the Windows graphical user interface. Instead of folders, labels appeared with the names of the same name leading to the file with the virus.
What to do if folders have become shortcuts? Step-by-step instruction.
On the Internet, I came across a solution to a problem by changing the attributes of folders (in fact, a folder is a file) using the command line. For those users who are not friends with command line I suggest alternative way - used for this purpose the FAR Manager file manager. This manager is always convenient to have on hand and we have already used it when editing. hosts file (Video I can not go to classmates. Solution).
Step 1. Check the flash drive for viruses. I checked with antivirus avast 4.8 Professionl. All the "left" labels from deleted, saying that it is a LNK trojan.
Avast removed all the “left” shortcuts
If your antivirus leaves folder shortcuts in place, delete them yourself, they are not needed.
Step 2. Download the FAR Manager, unpack the archive and run the Far.exe file;
Step 3. Go to a removable disk (flash drive). To select a disk, use the Alt + F1 keys;
All hidden system files (left panel) highlighted in dark blue - this is our “disappeared” folder.
All hidden system files (left panel) are highlighted in dark blue - this is our “lost” folders.
Step 4. In order not to change the attributes of each folder separately, order them all at once: select the first file from the list first, and then press the Insert key on the keyboard and hold until the names of all files of interest to us are highlighted in yellow.
Selecting a group of files in FAR Manager
Step 5. Press the F4 key on the keyboard (or the Edit button in FAR). In the menu that opens, remove the signs (question mark, cross) in paragraphs:
If you did everything correctly, the color of the file names will change from dark blue to white.
After changing attributes, the color of folder names turned white
Now you can go to the USB flash drive from under Windows and make sure that everything is displayed without any problems.
After changing attributes, all folders became available again.
I advise you to keep file manager FAR Manager is always at hand, so it will, if necessary, bypass the limitations of Windows on changing files.
As you understand, using the FAR Manager, you can also do the reverse procedure, i.e. hide your files on a flash drive from inexperienced users.
In conclusion, I want to say thank you to the programmer Eugene Roshal, who created the FAR Manager and the well-known RAR and WinRAR archivers.
Evgeny Mukhutdinov
The first group, be careful in the future. Do not scatter the flash drive right and left. At the moment, your computer is free from virus, so reading the rest of the material is not necessary for you. The second group - read on, if you want to remove the virus that turned the contents of the flash drive into shortcuts.
Virus removal will consist of two attack directions:
- Remove the virus from the computer.
- Remove virus from flash drive.
One of these viruses is active, the other is not. First, let's deal with the active, because it will constantly stick the stick in the wheel. You can read my article about how to remove viruses, there is quite accessible due to the process of removing viruses, which can and should be used in this case. Also, you can search for a virus in the Processes tab of the Task Manager window . Process this virus bears a rather slurred name. There is no logic in it, it is a simple abracadabra. You can find out the location of this file . Then there are two ways to do it:
- You are sure that it is a virus. In this case, stop this process and remove the virus.
- You are not sure that this is a virus. In this case, stop the process.
Then the flash drive, the contents of which turned into one label, must be cleaned in the manner discussed above. And once again I ask, do not touch any label, otherwise the whole operation will go down the drain. After that, remove and reconnect the USB flash drive. If you do not see shortcuts in it and everything seems to be clear, then you did everything right.
Remove the virus from startup
But it's too early to relax. Those who simply stopped the process should go to the folder where the virus is located and delete it. You also need to clear out autoload. How to do this can be found in the same article about how to remove the virus. It is necessary to clean the autoload of the computer for both the first and second groups.
Having done this, I usually restarted the computer. Then he rechecked the flash drive again - whether the labels will appear or not. I recommend you to do the same.
Why such viruses rarely notice antiviruses?
Many, having seen such shortcuts, try to scan the computer and the USB flash drive with the help of antivirus. But, basically, to no avail. Why? Because the body of a virus that turns folders into shortcuts is a regular bat file that contains commands that a user can execute both in the graphical interface and in the console. And the antivirus should not interfere with the user to work. And bat-viruses are exactly the same and fall under this rule. Determining that inside a bat file — unwanted code or harmless commands — is pretty hard. You can verify this by your own experience if you try to create an ordinary bat virus.
If you have suffered from this virus and you want to prevent any other flash card from being connected to the computer, you can
What to do if folders have become shortcuts?Why such viruses rarely notice antiviruses?
Why?
