Security Corner

Sep 12 2008   2:22AM GMT

Bootable Thumb Drive Virus Scanner Saves the Day

Ken Harthun Ken Harthun Profile: Ken Harthun

Forgive me if I brag a bit in this post, but I think I earned the right. You be the judge.

Last weekend, I noticed strange behavior on my home system. ESET Smart Security kept reporting that it had “found and quarantined m.exe, probably a variant of Win.Qhost trojan.” Every time I plugged in a USB thumb drive, ESET would pop up with the message. I couldn’t run HijackThis. If I tried to go to certain antivirus websites–Avira in particular–my browser closed. Sysinternals Process Explorer wouldn’t run. My thumb drive showed two hidden files: Autorun.inf and m.exe. Hmmm. Running ipconfig /displaydns revealed multiple connections to porn and malware sites. Searching Google led me to some tools that eventually fixed my problem at home. Turns out I had a bigger problem.

Apparently, I had picked up the infection from a client’s Exchange server and during my weekly tour there, I found that the tools I used on my XP machine wouldn’t run on Windows Server 2003.  I tried everything in my arsenal; no tool found anything wrong. This thing was very stealthy; even Safe Mode didn’t disable it. I was about to give up. Then I remembered that I’d recently finished making up a bootable Linux thumb drive virus scanner using the AntiVir rescue CD, a tool that allows offline scanning (thank you, Avira, you made it a little easier for me). I booted the server to the thumb drive, ran the scan, rebooted the server, and voila! The infection was gone.

There’s a whole backstory to this incident that I won’t bore you with. Suffice it to say that I’m glad I put in the hours of hacking and research to come up with a really useful tool that I was able to use to help a client. Veni! Vidi! Vici!

1  Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Troywedi
    I have just found this today on my network and Mcafee will not pick it up. In fact 15/36 popular scanners found it according to this site after I uploaded it. I have managed to wipe it from the usb but am unsure of how it originated and is spreading. I assume once loaded the next usb to be entered while the process is running will contract it. It seems to not only use the autorun on the usb but installs itself locally, so even though I have re-imaged a whole bunch on troubled computers I still have many users with this on their usb's. Even though I have supplied the wiper for usb Im sure alot will not try running it. Really sneaky one this. Thanks for the link!
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: