The understanding of U disk virus and its preventive measures

With the U disk, mobile hard disk, memory card and other mobile storage devices, USB disk virus also flooded up. U disk virus as its name implies is transmitted through U disk virus. Since the discovery of U disk Autorun.inf loophole, the number of U disk virus is increasing day by day.

1. USB Disk virus Hazard

The early USB drive virus is only a hoax, infected computers often appear to not open files, or show some of the funny nature of things. With the constant expansion and wide use of the USB drive capacity, USB flash drive becomes a transmission file, such as the main storage medium of data, daily use and exchange of documents, including secret files are through the USB drive to carry out transmission, although the market has introduced a number of secret USB drive, but these confidential USB flash drive Its main function is to prevent the loss of USB drive, Pick a random browse file, can not prevent the spread of USB disk virus, USB disk virus in the user browsing the flash drive when the infection. USB flash drive virus has the characteristics of cross infection, that is, infected with the USB disk virus computer, in the insertion of an uninfected USB drive to the infected computer, the virus will automatically infect USB flash drive, when the USB flash drive virus has been inserted into the uninfected computer, the virus-infected computer will infect USB disk virus. In the analysis of USB disk virus, we found that USB flash drive virus with ferry technology, the system will be some of the designated key files copied to the USB drive, when the USB drive inserted into the computer with the conditions of use, the USB disk virus will have copied the file to the designated mailbox or Trojan virus control.

USB disk virus As a contagious virus, its harm is as follows:

(1) Destroy the software system, affect the work. For the general USB drive virus will destroy the integrity of the system files, resulting in the system can not open the file normally, the harm degree is lighter.

(2) Delete or change the file. This USB drive virus often comes with a prank, such as deleting all of the files in the system, or changing the default suffix of the Word file to another name, causing the file to not open, and the degree of harm is moderate.

(3) Stealing various password accounts in the system and implementing remote control. At present, many personal computers have access to the Internet conditions, once connected to the network, the virus will actively connect the control side, the system password and account number sent to the designated mailbox, and the implementation of remote control as a zombie network Trojan end.

(4) in peacetime to steal information, wartime damage system. USB disk virus usually dormant in the computer, when the internet conditions will be replicated in peacetime data transmission to the designated mailbox, when the war can damage and paralysis of computer systems or computer networks, the greatest degree of harm.

2. USB disk virus hazard mechanism

2.1 Transmission principle of virus

USB disk virus is mainly transmitted through the interaction between USB and computer. In recent years, in the "black" industrial chain interest driven, the use of USB flash drive virus has become a major essential function of the virus, the virus infection mainly through the existence of security vulnerabilities of the site "hanging horse" to achieve, the site "hanging horse" mainly uses IE and other security vulnerabilities, when users do not install patches and access is "Hanging horse" Web site, the system will "secretly" execute the program specified in the Web page, so as to achieve control purposes. In addition, it is through the sending of spam, bundled Trojan software to the normal software and put on the website for network users to download and other ways to carry out the transmission of USB disk virus.

2.2 USB Virus Spread phase

USB flash drive to the transmission of the virus is mainly through the Autorun.inf file, mainly divided into 2 stages.

Phase I: Infection of the virus, when the user will be a piece of the USB disk without any virus into a latent virus host, through some commonly used operations, may trigger the virus program. The virus will first copy itself into the USB drive and create a file named Autorun.inf. At this point, the USB flash drive is infected with the virus.

Phase II: Transmission of the virus, when the USB drive inserted into a computer without any virus, users double-click to open the USB drive file browsing, Windows defaults to Autorun.inf files in the settings to run the virus in the USB program, when the Windows operating system is infected.

Operation mechanism of 2.3 Autorun.ini file

Autorun.inf is a setup file that the device runs automatically, such as when you insert some drive discs, Windows automatically runs the driver installer, which is set by the Autorun.inf file. One of the filename is a Trojan horse program. The file format has the following types:

(1) Automatically run the program

Open=filename.exe

(2) Modify the context menu to change the default entry to the start of the virus

Shellautocommand=filename.exeshell=auto

(3) As long as the call to the SHELLEXECUTEA/W function to open the USB disk root directory, the virus will automatically run

Shellexecute=filename.exeshellexecute= ...

(4) Disguised as system files, the confusion is relatively large, more common is disguised as a garbage collection station.

Shellopen= Open (&o) shellopencommand=filename.exeshellopendefault=1shellexplore= Resource Manager (&X)

2.4 USB virus program Hidden Way

(1) Hidden as system files. General system files are invisible, so this achieves a hidden effect. But this is also relatively rudimentary, and now the virus is generally not used in this way.

(2) disguised as other documents. Because the general computer user will not display the file suffix, or the filename is too long to see the suffix, so some virus program to change its own icon to another file icon, causing users to open by mistake.

(3) hidden in the system folder. These system folders are often confusing, such as if the folder name is the name of the Recycle Bin.

(4) Use of Windows vulnerabilities. Some viruses hide the name of the folder Runauto ... , this folder is not open, the system prompts no path, in fact, the real name of this folder is Runauto ....

3. USB Flash Virus Development trend

According to the results of software monitoring, there are at least 288 kinds of USB disk viruses, and the USB disk virus is a single function, which gradually evolves into many functions and has become more and more advanced. The current USB disk virus in the infected computer will also shut down the firewall, anti-virus software, system Automatic Updates and Windows Security Center, a higher level will modify the firewall and virus settings, so that its security through the personal firewall, there are some unpublished USB disk virus, has done infected PE files, The virus is difficult to eradicate once the computer is infected. At present, most viruses in the world have USB virus infection function, make it become the bridge between intranet and extranet, USB disk virus has become a kind of stubborn disease. Because of the great harm of USB disk virus, many anti-virus software will kill the USB disk virus with Autorun.inf file as the main feature, so the new USB drive virus will develop to hardware and driver. USB can be embedded directly into a number of hardware devices, such as mobile phones, MP3, etc., need to be activated only through the network to send a password command. Another trend is to drive the virus into a driver-level, any system can not be separated from the driver, through the driver to carry out virus transmission and control.

4. USB flash drive Virus Precautionary measures

Security is only relative security, there is no absolute security, for mobile storage devices mainly through two levels of prevention, one is the technical level, the other is not technical level. The technical aspects are mainly considered in the aspects of data integrality, accuracy and exclusivity, and the non technical aspects are considered for training, ideology and organization management.

4.1 Technical Precautions

(1) Timely updating of security vulnerabilities patches and virus library

For individuals and companies, everyone is a security expert is not realistic, anti-virus software is the Security field defender, can kill most of the market virus, so timely update security vulnerabilities patches, application vulnerabilities and virus library can effectively reduce security risks. Currently sold in the market genuine anti-virus software with vulnerability scanning function, through the vulnerability scan generated reports, you can choose the automatic repair function to repair the existence of the system.

(2) prohibit the automatic playback of mobile devices

Many Trojan viruses are run automatically, so when you open a mobile storage device, try not to use Autorun, and open it through a browser or explorer, or if the device has read-write protection, you can use the Read protection switch when copying data from the device to your computer. Stop the infection system through the USB drive virus transmission. For Windows XP operating system, click Start-Run, enter gpedit.msc into Group Policy Editor in run, select User Configuration-Administrative Templates-system-turn off AutoPlay, select enabled on the Turn off AutoPlay Properties window, and then choose Enable. Turn off AutoPlay and select all drives, and click the Apply button to disable AutoPlay for all drives in the system.

(3) Real-time monitoring, antivirus first

For antivirus software and personal firewalls to real-time monitoring, to ensure that anti-virus software and its personal firewalls are in normal operation. When using a mobile storage device, the files in the mobile storage device are first removed and other actions are made if no virus is identified. Windows operating systems do not display hidden files and system protection files by default, and viruses often use this to hide and propagate viruses, so you need to select "Show All Files and folders" and remove the "Hide protected operating system files (recommended)" check box through the folder-view option. Easy to view the USB flash drive and other disks on the system to hide the virus files.

(4) Create Autorun.inf folders on all disks

USB disk viruses are generally used to propagate using autorun.inf files, depending on the Windows operating system files and the folder name uniqueness principle, the system only has a unique name file, so you can create a folder called "Autorun.inf" on all of the system's disks, So that the USB disk virus can not create autorun.inf files to prevent the purpose of the USB disk virus.

(5) Careful downloading, safe operation

In the need for software, as far as possible to the regular large-scale web site to download, download the software after the killing of toxic processing, to prevent software is bundled Trojan program. If you need to run on an important computer, you must perform a security test to ensure that the software does not cause harm to the system.

(6) completes the system and the data backup

In recent years, the computer Trojan virus often has a strong commercial interests, especially with USB flash drive as the media of the virus; For example, the recent emergence of panda virus, AV virus, all executable files will be infected, if not handled well, will bring huge economic losses. So at ordinary times important data and systems must do a good backup, so that you can restore the system at any time, and normal operation.

(7) Use some mobile storage special management software

According to the value of data, the installation of mobile storage special management software to carry out the protection of USB disk data, these software often have file encryption functions, USB flash drive data can only be used in designated computers and designated networks, to other computers can not read, even if the reading is garbled, so as to ensure data security.

(8) All permission changes and all file operations of the mobile storage device are logged and audited.

(9) Illegal USB drive, can't get in. All USB drives and removable hard disks that can be used internally must be authenticated, without an authorized USB drive and a removable hard disk.

(10) Authorized USB drive, can't take away. Even certified mobile storage devices, their stored confidential files are high intensity encrypted storage, and completely hidden; authorized USB drive, mobile hard disk is used as usual, but in the external computer can not see any information.

4.2 Non-technical precautions,

(1) Strengthen the management from the system. For some of the computers that are necessary, to allow the use of USB flash drive, mobile hard disk, other computers prohibit the use of USB flash drive, mobile hard disk, such as mobile storage devices, where the secret USB disk is prohibited from contact with the Internet computer, where the secret USB drive, in the data processing, to take the safe removal of files or low-level format USB flash To prevent leakage of secret files from USB flash drive, to ensure safety from the source.

(2) dedicated to the special disk. AC use mode USB flash drive only external use, each use after the safe handling of the external disk dedicated special treatment.

(3) To strengthen the security awareness training, regular security checks. Safety emphasis on the implementation of safety awareness and safety measures, the implementation of security measures on a regular basis security checks, combined with safety violation forensics system to the computer to carry out security checks and related files, to reduce and reduce security risks.

5. Concluding remarks

USB disk virus appears to be common, if management monitoring is not good, will cause a great loss to individuals, enterprises and even countries, this article through the USB disk virus characteristics, transmission principles, and finally from the technical and non-technical point of view of the USB disk virus prevention measures, for U disk security management and virus prevention has a certain reference value.