Personal computing discussed

Moderator: Dposcorp

 
ronch
Graphmaster Gerbil
Topic Author
Posts: 1095
Joined: Mon Apr 06, 2009 7:55 am

USB Trojan

Thu Nov 17, 2016 5:10 am

Hey guys, need some help here. My wife came home today, handing me her USB flash drive saying it's been infected by some Trojan. First thing I did, of course, is to scan it but Avast Free shows nothing although I could see the files are still in there according to Avast, as it displays the names of the files it's scanning. Upon opening it, I see her files are gone and the only thing visible (even after enabling 'Show hidden files and folders' in Windows) is one file, a link file that's named "NANO PRO 4GB" that points to rundll32.exe in the Windows folder. Obviously malicious and who knows what it'll do. I copied rundll32.exe from the Windows folder to D:\ and edited the link file to point to THAT copy (dunno if that helps though). She needs her files badly and I'm not sure how to recover them. And yes, her last backup was in October. Good grief. I'm proceeding with caution here as any USB recovery app can ruin her stuff.
NEC V20 > AMD Am386DX-40 > AMD Am486DX2-66 > Intel Pentium-200 > Cyrix 6x86MX-PR233 > AMD K6-2/450 > AMD Athlon 800 > Intel Pentium 4 2.8C > AMD Athlon 64 X2 4800 > AMD Phenom II X3 720 > AMD FX-8350 > RYZEN?
 
Noinoi
Gerbil Team Leader
Posts: 228
Joined: Fri Jun 26, 2015 11:31 pm
Location: Somewhere, anywhere!

Re: USB Trojan

Thu Nov 17, 2016 5:18 am

ronch wrote:
Hey guys, need some help here. My wife came home today, handing me her USB flash drive saying it's been infected by some Trojan. First thing I did, of course, is to scan it but Avast Free shows nothing although I could see the files are still in there according to Avast, as it displays the names of the files it's scanning. Upon opening it, I see her files are gone and the only thing visible (even after enabling 'Show hidden files and folders' in Windows) is one file, a link file that's named "NANO PRO 4GB" that points to rundll32.exe in the Windows folder. Obviously malicious and who knows what it'll do. I copied rundll32.exe from the Windows folder to D:\ and edited the link file to point to THAT copy (dunno if that helps though). She needs her files badly and I'm not sure how to recover them. And yes, her last backup was in October. Good grief. I'm proceeding with caution here as any USB recovery app can ruin her stuff.

Don't forget to uncheck "hide protected system files" - that's one more thing before Windows will show files marked as system. It's entirely possible that happened, as file scanners appear to be finding the files just fine. I'm thinking that malware probably marked all pre-existing files as system files.
i5-4590 | Kingston 2x8GB | Asus Strix GTX 970 | Asus Z97-Pro Gamer | Kingston Fury 240GB + WD Black 2TB + Blue 2TB | Win 10 FCU
 
ronch
Graphmaster Gerbil
Topic Author
Posts: 1095
Joined: Mon Apr 06, 2009 7:55 am

Re: USB Trojan

Thu Nov 17, 2016 8:00 am

Fixed it, folks. Got her files back. She's a lawyer so she's doomed if she can't get those files back. After some skillful Google-Fu I went to the command prompt and typed

attrib -h -r -s /s /d f:\*. *

and a folder came up in Explorer with her files tucked inside. Stupid Malware writers. So I scanned the flash drive again with Malwarebytes, copied the files off it, formatted the drive, and copied everything back. Did a full sys scan of my laptop with Malwarebytes and Avast. MBAM actually found some suspicious things but I'm not sure they have anything to do with the flash drive's contents. Also, turns out the wife's laptop's AV already 'healed' the drive when she plugged it in, which is why Avast didn't find anything earlier. MBAM didn't find anything either. Now all I gotta do is see if her laptop is clean too. I bet she never does a full scan and I can't remember if I had auto scan enabled. I think I installed AVG on her laptop. Good job, AVG!
NEC V20 > AMD Am386DX-40 > AMD Am486DX2-66 > Intel Pentium-200 > Cyrix 6x86MX-PR233 > AMD K6-2/450 > AMD Athlon 800 > Intel Pentium 4 2.8C > AMD Athlon 64 X2 4800 > AMD Phenom II X3 720 > AMD FX-8350 > RYZEN?
 
Chuckaluphagus
Silver subscriber
Gerbil Elite
Posts: 688
Joined: Fri Aug 25, 2006 4:29 pm
Location: Boston area, MA

Re: USB Trojan

Thu Nov 17, 2016 8:59 am

ronch wrote:
Fixed it, folks. Got her files back. She's a lawyer so she's doomed if she can't get those files back. After some skillful Google-Fu I went to the command prompt and typed

attrib -h -r -s /s /d f:\*. *

and a folder came up in Explorer with her files tucked inside.

Now remind her, politely, that this is why she should have a backup.

Also, I first learned to use "attrib" back in the days of MS-DOS, and it was my first trip down the rabbit hole of the cool, butt-saving stuff you can pull off from a command line. You've provided me with a nice bit of nostalgia, thank you.
 
steelcity_ballin
Gerbilus Supremus
Posts: 12011
Joined: Mon May 26, 2003 5:55 am
Location: Pittsburgh PA

Re: USB Trojan

Thu Nov 17, 2016 9:12 am

Likely this was an older virus that relied on auto-execution once the thumb drive is inserted. This isn't the case anymore, since they can't be made to auto-execute anything, at least since windows 7 and newer.

Thumb drives are not very secure, though I imagine you could encrypt the contents, and I do believe they make more secure versions of the standard fare. Any reason why she chooses such an inconvenient container for sensitive information? There are heaps of very inexpensive archiving/storage solutions that make it easy to manage the information from any device, anywhere. The only caveat being you'd need some connection to reach the data, but if you knew that ahead of time you could always take a copy onto a portable storage device for when you don't have a signal, and then it could automatically sync any changes once a connection is available again. All that said, I'd always insist that any "must have" data be made into a proper backup with an off-line copy stored in a fire-proof safe. Could automate that too, except the physical action of putting it into the safe :wink:
Corsair 600T | ASUS P8P67 PRO | Intel 2500k @ 4.4Ghz | Asus 1080GTX | G.SKILL Ripjaws Series 8GB | Corsair HX650 650W | Asus ROG Swift Gsync 27"
 
just brew it!
Gold subscriber
Administrator
Posts: 49673
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: USB Trojan

Thu Nov 17, 2016 9:31 am

Does the content of the files appear to be intact? Just because the names are the same doesn't mean the contents didn't get corrupted/encrypted.

Also, what was the point of the part where you copied rundll32.exe to another partition? If your goal was to disable any potential malicious behavior this accomplished nothing, since you changed the link *and* copied the program to the new link location (so the link was still valid).
Nostalgia isn't what it used to be.
 
just brew it!
Gold subscriber
Administrator
Posts: 49673
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: USB Trojan

Thu Nov 17, 2016 9:36 am

steelcity_ballin wrote:
Thumb drives are not very secure ...

They're also not very reliable, and are easy to lose.

Critical/sensitive data needs to be backed up, and if it is transported on removable media it needs to be encrypted.
Nostalgia isn't what it used to be.
 
DragonDaddyBear
Gerbil Elite
Posts: 651
Joined: Fri Jan 30, 2009 8:01 am

Re: USB Trojan

Thu Nov 17, 2016 9:49 am

As a bit of advice, I would not suggest plugging in a suspected Trojan-infected USB device into a computer without being very sure of what you are doing.  Thankfully it seems like this does not appear to be a very dangerous virus.  Had it been, though, your system could have been compromised and spread the malware to other USB drives.

I think a better way to have gone about this would have been boot into a non-persistent Linux distro with your drives physically detached (or drives mounted read-only) and move the files to another drive that way. 
 
wizardz
Gerbil
Posts: 71
Joined: Thu Nov 02, 2006 12:58 pm
Location: Montreal, Canada

Re: USB Trojan

Thu Nov 17, 2016 10:47 am

steelcity_ballin wrote:
All that said, I'd always insist that any "must have" data be made into a proper backup with an off-line copy stored in a fire-proof safe. Could automate that too, except the physical action of putting it into the safe :wink:


if her job *depends* on those files, multiple copie taken multiple times per day and at least 2 copies on 2 different medias (usb / dvd /tape/punchcards) should be properly stored in multiple locations (bank vault AND fireproof safe for example).

i have seen and heard sooo many horror stories....some unrecoverable..
glad you were able to recover it.
 
Flying Fox
Gerbil God
Posts: 25417
Joined: Mon May 24, 2004 2:19 am
Contact:

Re: USB Trojan

Thu Nov 17, 2016 11:51 am

ronch wrote:
She's a lawyer so she's doomed if she can't get those files back.

On one hand, looks like a simple malware (or someone playing tricks on her by using the attrib command in the other direction?), and the fact that the files are in the clear makes it easier to recover. On the other hand, being a lawyer, she leaves her files unencrypted on removable media? That does not sound good at all.

Backing up and encryption for transport are 2 topics that you may need to bring up. I am not sure if negligence can lead to losing her license, but this is not insignificant.
The Model M is not for the faint of heart. You either like them or hate them.

Gerbils unite! Fold for UnitedGerbilNation, team 2630.
 
Scorpiuscat
Gerbil Elite
Posts: 818
Joined: Tue Jan 01, 2002 7:00 pm
Location: Somewhere on the Edge of Reality

Re: USB Trojan

Thu Nov 17, 2016 12:01 pm

I recently saw a news story about infected USB drives being left around college campuses and something like 2/3rds of people who find them plug them in without much hesitation.
I got to admit, if I found a USB drive, it would be very tempting to see what is on it, but I like to think that I have enough advanced skills to handle anything bad that happens.  
All civilizations become either spacefaring or extinct - Carl Sagan
 
Chuckaluphagus
Silver subscriber
Gerbil Elite
Posts: 688
Joined: Fri Aug 25, 2006 4:29 pm
Location: Boston area, MA

Re: USB Trojan

Thu Nov 17, 2016 12:09 pm

Scorpiuscat wrote:
I recently saw a news story about infected USB drives being left around college campuses and something like 2/3rds of people who find them plug them in without much hesitation.
I got to admit, if I found a USB drive, it would be very tempting to see what is on it, but I like to think that I have enough advanced skills to handle anything bad that happens.  

I don't find discarded USB sticks all that often, but it's one of the good uses for a Raspberry Pi. In the absolute worst-case scenario, I'm out $35 dollars and some time. There is no way I'd ever plug an off-the-sidewalk USB stick into any computer I need.
 
Captain Ned
Gold subscriber
Global Moderator
Posts: 26461
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: USB Trojan

Thu Nov 17, 2016 2:12 pm

Scorpiuscat wrote:
I recently saw a news story about infected USB drives being left around college campuses and something like 2/3rds of people who find them plug them in without much hesitation.

University of Illinois Urbana-Champaign (this campus has a MAJOR sci-fi link). The take rate was 48% and the quickest "response" was six minutes after it was dropped.

https://www.elie.net/blog/security/conc ... rking-lots
If the Earth were flat, cats would have pushed everything off of it by now.
 
Schmoo
Gerbil
Posts: 28
Joined: Mon Dec 14, 2015 12:32 pm
Location: オーストラリア

Re: USB Trojan

Thu Nov 17, 2016 2:41 pm

Scorpiuscat wrote:
I got to admit, if I found a USB drive, it would be very tempting to see what is on it, but I like to think that I have enough advanced skills to handle anything bad that happens.  

For anyone who has a Microsoft Surface RT or Surface 2 these are the perfect tools for looking at stuff like that. Nobody wrote any software for RT let alone viruses.
 
just brew it!
Gold subscriber
Administrator
Posts: 49673
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: USB Trojan

Thu Nov 17, 2016 4:04 pm

A Linux system (preferably one without Wine installed) also works well for examining suspect media.
Nostalgia isn't what it used to be.
 
WalterW
Gerbil In Training
Posts: 5
Joined: Tue Jun 13, 2017 3:06 am

Re: USB Trojan

Mon Jul 24, 2017 3:52 am

Brilliant read and some good information, thanks for sharing
 
Flying Fox
Gerbil God
Posts: 25417
Joined: Mon May 24, 2004 2:19 am
Contact:

Re: USB Trojan

Mon Jul 24, 2017 10:10 am

WalterW wrote:
Brilliant read and some good information, thanks for sharing

Did you check the date of the thread? You are necroing quite an old thread.
The Model M is not for the faint of heart. You either like them or hate them.

Gerbils unite! Fold for UnitedGerbilNation, team 2630.
 
bthylafh
Grand Gerbil Poohbah
Posts: 3906
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: USB Trojan

Mon Jul 24, 2017 10:51 am

Flying Fox wrote:
WalterW wrote:
Brilliant read and some good information, thanks for sharing

Did you check the date of the thread? You are necroing quite an old thread.


At least it's less than a year old, not like the other one from today:
viewtopic.php?p=1357657#p1357657
Hakkaa päälle!
i7-8700K|Asus Z-370 Pro|32GB DDR4|Asus Radeon RX-580|Samsung 960 EVO 1TB|1988 Model M||Logitech MX 518 & F310|Samsung C24FG70|Dell 2209WA|ATH-M50x|Asus Xonar DX
 
ludi
Darth Gerbil
Posts: 7441
Joined: Fri Jun 21, 2002 10:47 pm
Location: Sunny Colorado front range

Re: USB Trojan

Mon Jul 24, 2017 11:08 am

New gerbil. Don't scare him too badly.
Abacus Model 2.5 | Quad-Row FX with 256 Cherry Red Slider Beads | Applewood Frame | Water Cooling by Brita Filtration

Who is online

Users browsing this forum: No registered users and 2 guests