USB flash drive (Auto virus) virus Analysis and Solution

I. Brief introduction to the USB flash drive virus:

The USB flash drive (Auto virus) is very common recently and has a certain degree of harm. Its Mechanism is to rely on Windows's automatic operation function, so that when we click to open the disk, automatically execute related files. At present, we use USB flash drives very frequently. When we enjoy the convenience of USB flash drives, the USB flash drive virus is also quietly spreading through the system's automatic operation function, we are even familiar with the popular USB flash drive virus files, such as SSS, which is frequently asked by netizens. EXE sxs. EXE how to kill this type of virus, we will analyze and summarize the features and preventive measures of the U disk virus.

Ii. Feature Analysis:

The so-called automatic running function is a convenient feature of the Windows system, so that when the disc, U disk inserted into the machine for automatic operation, and the implementation of this feature is through the disk and directory Autorun. INF file. This file is stored in the root directory of the drive (usually a system file with hidden attributes). It stores some simple commands, inform the System of the program that should be automatically started for the newly inserted CD or USB flash disk.

The common autorun. inf file formats are roughly as follows:

[Autorun] // indicates that the autorun part starts and must be entered
Icon = c: \ c. ICO // specify a personalized drive letter icon for drive C. ICO
Open = c: \ 1.exe // specify the path and name of the program to be run. The program runs automatically as long as the virus program is put here;

In Windows, you can use the following methods to allow and block automatic operation:

Find the following key in the registry:

Key Path: [HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ exploer]

The "NoDriveTypeAutoRun" key in the right pane determines whether to perform the autorun function. Each digit represents a device, and each device is represented by the following value:

 

Device Name	Number of digits	Value	The device is represented by the following values:	Device Name Description
Drive_unknown	0	1	01 H	Unrecognized Type Device
Drive_no_root_dir	1	0	02 h	Drive without root directory
Drive_removable	2	1	04 H	Removable Drive
Drive_fixed	3	0	08 h	Fixed drive
Drive_remote	4	1	10 h	Network drive
Drive_cdrom	5	0	20 h	Optical Drive
Drive_ramdisk	6	0	40 h	RAM disk

Where: retain the drive type not specified for 7 1 80 h

The value "0" indicates that the device is running, and "1" indicates that the device is not running.
As shown above, the corresponding drive_no_root_dir, drive_fixed, drive_cdrom, and drive_ramdisk can be run automatically. To disable the automatic running of the autorun. inf file on the hard disk, you must set the value of the drive_fixed keys to 1, because drive_fixed represents a fixed drive (that is, a hard disk ). If you only want to disable the autorun function of the software disc, but retain the automatic playback capability of the CD audio disc, you only need to change the key value of "NoDriveTypeAutoRun" to: BD, 00.

The USB flash drive virus uses this system feature. Generally, after infection, the registry of the system is modified, and the option of displaying all files is disabled. Or even modify the Disk Association. Anti-virus software usually only clears the virus files, but does not process the residual files. This is also the reason why common anti-virus software is often unable to be cleared, or the disk cannot be opened by double-clicking after cleanup.

Iii. solution:

1. Use the super patrol suit to comprehensively solve the problem of USB flash drive virus (recommended !) :

① Super patrol officers have specially processed the USB flash drive virus detection to quickly monitor and locate the USB flash drive virus and clear them.
② Super patrol also provides handling of Registry Association repair and automatic operation blocking.

2. Manual solution:

① According to the above principle, modify the Registry to disable automatic operation of disks.
② Hide the protected operating system files in the folder options, select and display all files and folders, and click OK. In this way, you can see several files (including autorun. inf and virus files) on the infected mobile storage device. After deletion, the virus is cleared.