Analysis of U disk viruses and Autorun. inf files

Source: Internet
Author: User

Recently, the U disk virus has been very serious. Taking the Zhanjiang annual meeting as an example, we found that the ratio of virus to the U disk submitted by each user can be as high as 90%.

Here, I will record some personal opinions on the virus.:
First, almost all of these viruses use autorun. inf, but in fact autorun. inf is equivalent to an infectious route. Viruses intruded through this channel are theoretically "any" viruses. Therefore, we can find on the Internet that when autorun. inf is found, the virus that comes with it often has different names, which is exactly the truth. It is as if there is a wound in the body, there may be more than one type of bacteria that may enter, the bacteria that enter in different environments can be different, or even the AIDS virus. This autorun. inf is a startup. Therefore, it is impossible to simply say what the USB flash drive virus is, which can lead to chaos in detection and removal, because there are more than one or dozens of virus types ~~ The detailed figures should not be counted.

Let's talk about autorun. inf, the so-called startup ......
First, autorun. the inf file exists for a long time. In other windows systems (such as Win98 and 2000) before WinXP, if you need to insert the CD and USB flash disk to the machine for automatic operation, you need to rely on autorun. inf.This file is stored in the root directory of the drive (a hidden system file), which stores some simple commands, tell the system which program should be automatically started for the newly inserted CD or hardware, or tell the system to change its drive letter icon to an icon in a certain path. Therefore, this is a regular and reasonable document and technology.
But I believe you have noticed that "automatic" is the key.Virus writers can use this to allow mobile devices to automatically execute any commands or applications without the knowledge of their systems. Therefore, the autorun. inf files can be placed in normal boot programs, such as the various teaching CDs that we often use, which can be automatically installed or automatically demonstrated as soon as a computer is inserted, place any malicious content.

Computer viruses are the same in the biological world. bacteria, viruses, and humans are both organisms. In most cases, these microorganisms are not completely harmful, it will also coexist with the human body. Like normal programs, viruses in computers are written and executed using the source code with the same basic principles, but the software executes what the user needs and functions normally, the virus executes functions that are not required by the user and are abnormal. Here, there is a dialectical relativity. For example, a friend who is familiar with computers knows that the Format and del doscommands represent formatting the hard disk and deleting files. Suppose I am autorun. if the Format or del command is used in inf, it means that I can Format someone else's machine or delete some files, which does not require too much advanced computer knowledge.

After talking about autorun. inf, let's talk about the hidden methods of the relevant USB flash drive virus:
With the startup method, the virus author must put the virus subject into a CD or USB flash drive to run the virus, however, you will be able to find and delete the file on a USB flash drive (even if you do not know it is a virus or an unknown file of your own, the virus will be hidden and stored in places that are generally invisible..
One is the false Recycle Bin Method: A virus usually creates a "RECYCLER" folder in the USB flash drive, and then hides the virus in a deep directory. Generally, this is the recycle bin. In fact, the recycle bin name is "Recycled", and the two icons are different:

Another way is to counterfeit anti-virus software: Put a program in the USB drive and rename it "ravmone.exe", which is easy to think of as a rising program, which is actually a virus.

Someone may ask, why can't my machine see the above files on your machine? It is very simple. For general system installation, some folders and files will be hidden by default, and viruses will transform themselves into system folders and hidden files. In general, of course, they will not be seen.
What should I do to allow myself to see hidden files?
For personal operations, follow these steps: Open "my computer", click "Tools" on the menu bar, and click "Folder Options". In the displayed dialog box, select the "View" tab, then compare:

If the USB flash drive carries the above virus, it will also happen. When you click the USB flash drive, there will be more things:

On the left side is a virus-infected USB flash drive, right-click the menu and choose "auto play", "Open", "Browser", and other projects. On the right side is the anti-virus, and none of these items exist.
Note: It is a normal function to right-click a mobile media with Autorun. inf, including a CD, and choose automatic playback from the shortcut menu.

To sum up:

Reference

  • The current USB flash drive viruses are all entered through Autorun. inf;
  • Autorun. inf is a normal file, but can be exploited for other malicious operations;
  • Different people may use Autorun. inf to place different viruses. Therefore, they cannot simply say what viruses are. They can be all viruses, Trojans, hacker programs, etc;
  • Generally, the USB flash drive should not contain the Autorun. inf file ;*
  • If you find that the USB flash drive has Autorun. inf and is not generated by yourself, delete it and check the virus as soon as possible;
  • If you have files like recycle bin and rising star files, you can compare the recycle bin name on the hard disk with the genuine rising star name, and confirm that the content is not generated by you, delete it;
  • At the same time, it is recommended that you do not double-click the USB flash drive when inserting a USB flash drive. Another better technique is to press the Shift key before inserting the USB flash drive, and then insert the USB flash drive. It is recommended that you press the USB flash drive for a longer time. After insertion, right-click the USB flash drive and select "Resource Manager" to open the USB flash drive.

Note:
*: Some USB flash drive manufacturers may also use Autorun. inf for their own special designs to allow users to execute the special programs of the vendor. It has been confirmed that some vendors use this method. Therefore, it is recommended that you first identify the purchased USB flash drive or consult the sales staff.

Next, let's talk about the solution to the ravmon.exe virus.:

One person found that their USB flash drive had a virus, and kvreported A ravmone.exe file. This is also the most classic USB flash drive virus...

Reference

After the RavmonE.exe virus runs, a process with the same name will appear, and the program does not seem to be significantly harmful. The program size is 3.5 mb. It seems to be written in Python. It usually occupies around MB of resources. It is hidden as a system file in the Windows directory and automatically added to the system startup Item. The Log file generated by the Log file usually contains different six digits. It is estimated that there may be dangers such as account password theft. However

The suspected virus file is too large and generally spread with mobile memory.

Solution:
1. Open the Task Manager (ctrlw.alt?del=del) and click it on the right to stop all the processes of ravmone.exe.
2. Go to c: \ windowsand Delete the ravmone.exe file.
3. Go to c: \ windows, run regedit.exe, and open
HK_Loacal_Machine \ software \ Microsoft \ windows \ CurrentVersion \ Run \. A value is displayed on the right.
C: \ windows \ ravmone.exe, delete it
4. The virus is cleared.

How to kill viruses in a USB flash drive:
Deleted, and a file with the suffix tmp can also be deleted. After the operation is completed, the virus is cleared.

However, after my personal experience, I made a small supplement to the above method for processing the virus in the USB flash drive:
Then delete the three files. If not, delete them in security mode.

Summary:
Don't think this is a small virus. It runs in the background without knowing it. It will occupy about 20 mb of memory for a long time, and it will start with the system. It will inexplicably cause your computer to die in silence. It is believed that the virus is very popular in public computers, such as schools and companies. This virus cannot be used for formatting a USB flash drive, and it cannot be used for many anti-virus software. Generally, you cannot see it. If you don't believe it, you can insert the USB flash drive into your computer and then "hide the protected operating system file in the folder option .. You may have seen three more unknown files, so you are just looking! Check your USB flash drive! Good luck!
Note: If the process is ravmon.exe, this should be a rising program without virus!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.