USB mass storage virus - massively annoying
Around October last year, I started noticing that some of my colleagues had strange executable files on their USB flash devices. Most of the time, I would see this when they would copy their .ppt-s to the college computers prior to starting their presentations. As we get a lot of assignments that include presenting the finished assignment to the rest of the group, I saw this a lot.
At some point I went to the local photocopy and print studio to get some stuff printed, my own drive became infected, because when I came home, Fedora warned me that the medium contained "software intended to be auomatically started". It had an autorun.inf file that was supposed to launch the randomly-named .exe file when inserted into a windows machine. You can actually prevent that from happening under Windows by holding down the shift key as you insert the drive (you might activate Sticky Keys though... I'd rather let my computer get infected than suffer that) but seriously, who even knows that?
Anyway -- I'm getting really annoyed that I have to manually clean this rubbish from my USB mass storage devices every time I slot them into a computer other than my own. All the college computers are infected, every other person has the malware installed, and even though AVG prevents infection, it appears no one else cares to download an antivirus program.
I finally snapped last night when my neighbour (who shall remain anonymous to preserve his decreasing dignity) infected my 160 GB iPod with a similar virus (it creates a viral .exe in every directory so that it has the same name as the directory - e.g. /stuff/movies would contain movies.exe, etc). I have a vast number of folders and files on my iPod, so when I found out, my anger is said to have been too terrible to behold. Who knows what other executables might have also been corrupted or infected in the process. Well, the prospect of spending several hours recursing into every directory level and deleting this crap from my 'Pod was just so maddening, I wrote a script in Python to kill them for me.
The autorun.inf virus and the "every-directory" virus are two different types of malware, I think. This tool helps with the second one (it's great when you're using Linux and don't have a way to scan the removable drive), though it also deletes autorun.inf if it's there, for convenience.
In case you might have a use for it, here's the tool. I didn't make a GUI (I was going to ._.) to keep it short and simple. It worked a treat for me, so if you have the same problem, I hope it helps you as well. Anyway, this is well-tested under Linux, but it should work under Windows as well.
#!/usr/bin/python
import os, sys
# path to the infected USB mass storage device
# (e.g. /media/disk , E:\\)
viral_path = "/media/AMPHY"
def remove_recursive(path):
"""
Works like rm -rf path. Be very careful using this function.
"""
for item in os.listdir(path):
full_path = path + "/" + item
if os.path.isdir(full_path): remove_recurse(full_path)
else: os.remove(full_path)
os.rmdir(path)
try: temp = viral_path
except:
print "ERROR: VIRAL_PATH NOT SPECIFIED! CANNOT PROCEED."
sys.exit(1)
else: del temp
# delete same-name exe infected executables
for root, dir, files in os.walk(viral_path):
for file in files:
this_dir = root.split('/')[-1:][0]
viral_file = this_dir + ".exe"
if file == viral_file:
deleteitem = root + '/' + viral_file
print deleteitem
try: os.remove(deleteitem)
except:
print "NOTICE: " + file \
+ " not found or cannot be removed"
# delete recycler direcory and autorun.inf
try: remove_recursive(viral_path + "/recycler")
except:
print "NOTICE: recycler directory not found or cannot be removed"
else: print "Deleted recycler directory!"
try: os.remove(viral_path + "/autorun.inf")
except:
print "NOTICE: autorun.inf was not found or cannot be removed"
else: print "Deleted autorun.inf!"
print "Completed viral removal from USB mass storage device."
This deletes both the exe files and the autorun.inf and recycler directory virus if it's there. There will be some infected files left over that you'll have to delete yourself (the randomly-named exe file will still be there if you've got autorun.inf, but the autorun.inf will be removed.
Be careful that you don't set the viral_path to something you don't want purged of same-name executables in every folder. On Windows, change it to E:\\ or whatever the drive letter is for your USB device (notice the REQUIRED double backslash, in case you're not a coder).
Our member chrisl suggested this quick & clean command using Perl regex to run the remove command on files in a directory. Manoeuvre to the directory of your removable media, eg. /media/usb/ and run the following command:
find -type d|perl -ple 's/.*?\/([^\/]+)$/$&\/$1.exe/'|xargs -I file rm file
thank you man :D
btw, most of the time I use xargs doing more things with the filename, but in this case its simple so the whole "|xargs -I file rm file" is not necessary, just using '|xargs rm' is enough
:D
And, sorry about that, I'll have to fix it.
oh well, put a plus sign there in order to use it.
you can also use a command like this, on the usb directory:
find -type d|perl -ple 's/.*?\/([^\/] )$/$&\/$1.exe/'|xargs -I file rm file
