Taming the recycle bin virus

I have often encountered the odd virus in my line of work, but nothing quite like of recent. Our antivirus at work picked it up as the "Mal_Otorun1"or "Worm_Autorun.cg", interesting thing was there was more to the virus than the antivirus actually saw...

History of Autorun.inf
(This file is not the virus, but this is where instructions are kept to keep itself on your computer.)

There is or can be a hidden file on every removable storage medium called "Autorun.inf" containing instructions for the purpose of the media, e.g. run a flash presentation, open a readme file or web browser menu. CDs often contain this file for autoinstalls of software like drivers. Most memory sticks don't contain this file, however you can create one yourself in notepad with the following two lines at the start:

[autorun]
OPEN=setup.exe

If you put this on the memory stick it will open up "setup.exe" everytime it is inserted into a machine unless autorun is disabled on that particular machine.

Now the virus...
The virus itself resides in your recycler folder along with everything else you have in your recycle bin on your system drives, yes all of them including your memory stick. Strange thing is this recycle bin will now stay on your memory stick along with any deleted file to infect a new machine.


An easy way to see if you have the virus is to first empty your recycle bin, then go to windows explorer, click 'tools' menu, now 'folder options' click the view tab, select 'show hidden files and folders', untick the option 'hide protected operating system files', click yes to the message displayed. Click 'Ok' and now go to C:\recycler and highlight all your recycle bins and the right click one of the selected bins and click 'send to' and then 'compressed(zipped)folder'. Now open the newly created zip file, if each "s-1-5-21-xxxxx" folder contains anything more than desktop.ini and info2, in particular an iso32.exe or iso.exe. You have a virus and must follow the below instructions at the trend micro site...

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AUTORUN.CG&VSect=T

The new pattern file picks up this virus as WORM_AUTORUN.DAT and is able to quarantine it should your system be infected. The way not to get infected with this virus initially was to disable my recycle bin, right click your recycle bin, check the box that says do not move items to the recycle bin delete them permanently. The best way was to update my antivirus. So morale of the story keep your pattern files up to date and your antivirus on...

posted by Rob Peter Verhagen @ 4:23 PM