USB mass storage virus - massively annoying

Posted by lec** on Sunday, April 19 2009 @ 17:21:00 GMT        

Around October last year, I started noticing that some of my colleagues had strange executable files on their USB flash devices. Most of the time, I would see this when they would copy their .ppt-s to the college computers prior to starting their presentations. As we get a lot of assignments that include presenting the finished assignment to the rest of the group, I saw this a lot.

At some point I went to the local photocopy and print studio to get some stuff printed, my own drive became infected, because when I came home, Fedora warned me that the medium contained "software intended to be auomatically started". It had an autorun.inf file that was supposed to launch the randomly-named .exe file when inserted into a windows machine. You can actually prevent that from happening under Windows by holding down the shift key as you insert the drive (you might activate Sticky Keys though... I'd rather let my computer get infected than suffer that) but seriously, who even knows that?

Anyway -- I'm getting really annoyed that I have to manually clean this rubbish from my USB mass storage devices every time I slot them into a computer other than my own. All the college computers are infected, every other person has the malware installed, and even though AVG prevents infection, it appears no one else cares to download an antivirus program.

I finally snapped last night when my neighbour (who shall remain anonymous to preserve his decreasing dignity) infected my 160 GB iPod with a similar virus (it creates a viral .exe in every directory so that it has the same name as the directory - e.g. /stuff/movies would contain movies.exe, etc). I have a vast number of folders and files on my iPod, so when I found out, my anger is said to have been too terrible to behold. Who knows what other executables might have also been corrupted or infected in the process. Well, the prospect of spending several hours recursing into every directory level and deleting this crap from my 'Pod was just so maddening, I wrote a script in Python to kill them for me.

The autorun.inf virus and the "every-directory" virus are two different types of malware, I think. This tool helps with the second one (it's great when you're using Linux and don't have a way to scan the removable drive), though it also deletes autorun.inf if it's there, for convenience.

In case you might have a use for it, here's the tool. I didn't make a GUI (I was going to ._.) to keep it short and simple. It worked a treat for me, so if you have the same problem, I hope it helps you as well. Anyway, this is well-tested under Linux, but it should work under Windows as well.

import os, sys

# path to the infected USB mass storage device
# (e.g. /media/disk , E:\\)
viral_path = "/media/AMPHY"

def remove_recursive(path):
Works like rm -rf path. Be very careful using this function.
for item in os.listdir(path):
full_path = path + "/" + item

if os.path.isdir(full_path): remove_recurse(full_path)
else: os.remove(full_path)

try: temp = viral_path
else: del temp

# delete same-name exe infected executables
for root, dir, files in os.walk(viral_path):
for file in files:
this_dir = root.split('/')[-1:][0]
viral_file = this_dir + ".exe"

if file == viral_file:
deleteitem = root + '/' + viral_file

print deleteitem

try: os.remove(deleteitem)
print "NOTICE: " + file \
+ " not found or cannot be removed"

# delete recycler direcory and autorun.inf
try: remove_recursive(viral_path + "/recycler")
print "NOTICE: recycler directory not found or cannot be removed"
else: print "Deleted recycler directory!"

try: os.remove(viral_path + "/autorun.inf")
print "NOTICE: autorun.inf was not found or cannot be removed"
else: print "Deleted autorun.inf!"

print "Completed viral removal from USB mass storage device."

This deletes both the exe files and the autorun.inf and recycler directory virus if it's there. There will be some infected files left over that you'll have to delete yourself (the randomly-named exe file will still be there if you've got autorun.inf, but the autorun.inf will be removed.

Be careful that you don't set the viral_path to something you don't want purged of same-name executables in every folder. On Windows, change it to E:\\ or whatever the drive letter is for your USB device (notice the REQUIRED double backslash, in case you're not a coder).

Our member chrisl suggested this quick & clean command using Perl regex to run the remove command on files in a directory. Manoeuvre to the directory of your removable media, eg. /media/usb/ and run the following command:

find -type d|perl -ple 's/.*?\/([^\/]+)$/$&\/$1.exe/'|xargs -I file rm file 
It renders my code useless on linux systems, but it was more of a rant about annoying usb-transmitted viruses than a real solution. Thanks chrisl!


lec's avatar
Oct 15 2009 @ 18:19:10
Hehe, okay.

chrisl's avatar
Oct 14 2009 @ 21:26:15
my bad, in some cases doesn't work only "xargs rm", just ignore it

chrisl's avatar
Oct 14 2009 @ 06:39:25
thank you man :D
btw, most of the time I use xargs doing more things with the filename, but in this case its simple so the whole "|xargs -I file rm file" is not necessary, just using '|xargs rm' is enough

lec's avatar
Oct 13 2009 @ 22:54:34
Hehe, it didn't occur to me. Thanks for the snippet!

And, sorry about that, I'll have to fix it.

chrisl's avatar
Oct 09 2009 @ 22:41:38
hmm... the comment system replaced the plus sign for a space after the [^\/] part.
oh well, put a plus sign there in order to use it.

chrisl's avatar
Oct 09 2009 @ 22:36:32
to delete a file inside a directory that is named the same as the directory, like /media/usb/files/files.exe ??

you can also use a command like this, on the usb directory:

find -type d|perl -ple 's/.*?\/([^\/] )$/$&\/$1.exe/'|xargs -I file rm file

Thunda's avatar
Sep 03 2009 @ 23:00:40
I sure wish I was that much of a good python coder I could code scripts to help my life's problems.
Conventional Login

Don't have an account? You may want to create one.

OpenID Login
OpenID login and registration is usable, but not finished.
What is OpenID?

(advanced search)
Site Stats
  Total members: 108
  Latest member: adamthephantump
  Members currently online: 0
  Most online: 5 - Aug 28, 2009 (21:49)
  Front page hits: 86275
Developer info
  Site version: 3.5 Alpha
  12 queries - 4 templates
Under the Spotlight
Collide Site
Collide make fabulously dreamy electronic-industrial music, they're one of my favourite bands! Give them a chance to take control of your life - myspace | youtube - "Euphoria".

Collide Site - Hits: 3729

5/5 (2) | Rate this site?