A USB drive was brought to me because the files on the drive could no longer be accessed. I was all ready for the usual speech about corrupted files or the ever popular bent USB plug.  To my surprise there was actually something interesting going on.  All of the files showing on the drive were shortcuts (.lnk).  They had different icons like folders and a text file.   I investigated the properties of these shortcuts looking for the usual symptoms of copying shortcuts to the drive instead of the actual files, but I found something completely different.  All of the short cuts lead to the same file that was named with a random six characters.  It was a .scr or screen saver file which is executable when run under windows.  A virus, sweet!  My excitement was not because I found something I now get to fix, but due to the creativity of it all.
So here is the deal.  This virus gets on someones computer and sits there waiting for a USB drive to be inserted.  It then will copy its self to the drive using a six random character file name with an executable extension (.exe, .scr, .com…).   It will add the hidden file attribute to its self and all of the files and folders you currently have on your drive.  This means you would actually have the setting ‘View hidden files and folders’ set to on in your folder options in order to still see your stuff.   This is not on by default.  Anyway, it then will create shortcuts with the same names as all your stuff with the same icons except the little shortcut arrow on the corner.   It also adds some of its own fake folders like pictures, audio, and videos.  It will also add a shortcut that looks like it leads to a text file called passwords.txt.  So what it wants you to do is insert your drive and just click on one of the folders that you always click on to get to your stuff, but it will then run the virus file which would infect whatever machine you are currently on and then subsequently infect more and more machines passing via USB drive.
I looked up this virus and it is marked dangerous because there is another part of the virus residing on the infected computer that does other things like download malware and stuff.
In this particular situation there is anti-virus involved so I don’t think the bad stuff part is happening and also whenever I put the USB drive in my machine my anti-virus would delete the executable, but what it didn’t do is delete the shortcuts and un-hide the folders and such.  So even if your infection is cleaned you still may not be able to access your stuff.  All you will see is a bunch of shortcuts with the same name as your stuff and when you click on them nothing happens because the executable file has been deleted by your security software.

Your files are still there!

All you need to do to get to your files is change your options to see hidden folders and files then right click on your stuff and change it back to not hidden.  You can also delete those shortcuts, but if you put it back in the infected computer then it will all be changed back.  So you have to first remove the virus from your computer then do the un-hideing and delete the shortcuts on your thumb drive.

This worm if left untreated will attempt to connect to a server and download other malicious bits to attempt to run your day so act fast.

Here are some links:

Microsoft Vobfus

Panda Vobfus

Posted in Home Computing, Security, Virus Removal - No Comments

I have not been much of a security guy in the past, but with new dangers around every corner I have been spending more time in the category. I was reading an article recently and I had one of those why didn’t I think of that? moments. Well to sum it up I had to update my wireless security because the long funky password that I knew was strong enough to sentry anyone who would care to access my network doesn’t matter. Apparently the passcode is transmitted attached to data when the wireless network is in use and there are a few fairly easy to learn methods of extracting the code from the transmission. Once you have the code you can access the network at any time. So the solution for now is not to use good ‘ol WEP shared key security anymore. The newest one on my router is WPA-2 and it has a nice big space for a secure code. Since you only have to enter this when you are connecting a wireless device for the first time you can make it long and complex. I used a phrase with some punctuation and capitalization play.
In addition to an increased level of wireless security WPA is also ready for the wireless N standard. I am guessing it is not that obvious in the setup instructions that N does not support WEP because I have heard from a couple people who had to spend some time finding out the hard way.
So it’s time to move on. Sorry WEP, it’s not you, it’s me.

Posted in networking, Security - No Comments