Prev: New Net Patch
Next: Is MBAM is a 100% safe application?
From: lesio family on 28 Apr 2010 21:13
I've read about trojan infected usb drives (I even got one trojan this way
myself :)
now I am clean
question: can this type of trojan/virus come from external HD enclousure?
I've bought one for my old SATA drive - drive was mine so it was clean but
more less since then I started to have multiple notifications about w32 ,
sevebomba, gasgas.exe and others in my system.
so again : can enclousure contain a malware? it is not only a metal box, it
has some electronic components

--
lb


From: David H. Lipman on 28 Apr 2010 21:46
From: "lesio family" <blm333(a)rcn.com>

| I've read about trojan infected usb drives (I even got one trojan this way
| myself :)
| now I am clean
| question: can this type of trojan/virus come from external HD enclousure?
| I've bought one for my old SATA drive - drive was mine so it was clean but
| more less since then I started to have multiple notifications about w32 ,
| sevebomba, gasgas.exe and others in my system.
| so again : can enclousure contain a malware? it is not only a metal box, it
| has some electronic components

Technically speaking, a USB Drive doesn't get infected. The OS gets infected. The USB
Drive is a carrier.

Take an envelope with Anthrax spores.
The envelope is not infected, the person who inhales the spores gets infected with
Anthrax.

Just like the envelope which carries the Antrax spores, the USB Drive carries the trojan.

As for "can this type of trojan/virus come from external HD enclousure? "
Not from the enclosure - no. But if when you got the drive that was in the enclosure had
malware then yes, it can be a carier of malware.

When you ask about "...can enclousure contain a malware? it is not only a metal box, it
has some electronic components"
If there is no hard disk in the enclosure -- no.

Here's the question.
You indicate that your un-named anti malware software provided you with... "notifications
about w32 , sevebomba, gasgas.exe and others in my system..."
Your SYSTEM is most likley the "C:" drive. If you put what you thought was a CLEAN SATA
hard disk in a SATA enclosure then the OS will assign a drive letter to the external drive
such as "E:".

Has there been a point that your un-named anti virus solution indicated malware on "E:"
(assuming that the letter the external drive was assigned) ?




--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


From: lesio family on 28 Apr 2010 22:35
I understand that technically usb drive is a carrier which when plugged into
a PC "infects" the new host PC - win OS automatically runs autoexec files in
usb drives which executes the malware

example from my case:

[autorun

"sA����������Z�����ZOS�l??Dsla??DFAKFP?WQlf?WQKF?WQklWQ?k�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������

open=SEVEBOMBA/gasgas.exe

action=Open folder to view files using Windows Explorer

icon=SEVEBOMBA/gasgas.exe

Shell\open\command=SEVEBOMBA/gasgas.exe

shell\open\command=SEVEBOMBA/gasgas.exe

USEAUTOPLAY=1


sorry I did not mentioned it before -I have NIS 2010 and when I checked the
details of the infected files the drive letter was my external drive;
last time it was my photocamera SD card which I read using usb card reader
:)) unbelievable! based what I read - the new host transfers malware to
all usb drives used on this PC and then usb drives are plugged in into the
new PC's which receive the package and so on;

I was thinking that maybe in enclosure's electronic components there is
place for some software/malware - if it is not the case I have to recall
where else I plugged in my either SD card or ext SATA
--
lb


"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:uuxF%232z5KHA.3292(a)TK2MSFTNGP06.phx.gbl...
> From: "lesio family" <blm333(a)rcn.com>
>
> | I've read about trojan infected usb drives (I even got one trojan this
> way
> | myself :)
> | now I am clean
> | question: can this type of trojan/virus come from external HD
> enclousure?
> | I've bought one for my old SATA drive - drive was mine so it was clean
> but
> | more less since then I started to have multiple notifications about w32
> ,
> | sevebomba, gasgas.exe and others in my system.
> | so again : can enclousure contain a malware? it is not only a metal box,
> it
> | has some electronic components
>
> Technically speaking, a USB Drive doesn't get infected. The OS gets
> infected. The USB
> Drive is a carrier.
>
> Take an envelope with Anthrax spores.
> The envelope is not infected, the person who inhales the spores gets
> infected with
> Anthrax.
>
> Just like the envelope which carries the Antrax spores, the USB Drive
> carries the trojan.
>
> As for "can this type of trojan/virus come from external HD enclousure? "
> Not from the enclosure - no. But if when you got the drive that was in
> the enclosure had
> malware then yes, it can be a carier of malware.
>
> When you ask about "...can enclousure contain a malware? it is not only a
> metal box, it
> has some electronic components"
> If there is no hard disk in the enclosure -- no.
>
> Here's the question.
> You indicate that your un-named anti malware software provided you with...
> "notifications
> about w32 , sevebomba, gasgas.exe and others in my system..."
> Your SYSTEM is most likley the "C:" drive. If you put what you thought
> was a CLEAN SATA
> hard disk in a SATA enclosure then the OS will assign a drive letter to
> the external drive
> such as "E:".
>
> Has there been a point that your un-named anti virus solution indicated
> malware on "E:"
> (assuming that the letter the external drive was assigned) ?
>
>
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>


From: David H. Lipman on 28 Apr 2010 22:57
From: "lesio family" <blm333(a)rcn.com>

| I understand that technically usb drive is a carrier which when plugged into
| a PC "infects" the new host PC - win OS automatically runs autoexec files in
| usb drives which executes the malware

| example from my case:

| [autorun

| "sA����������Z�����ZOS�l??Dsla??DFAKFP?WQlf?WQKF?WQklWQ?
|
k�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������

| open=SEVEBOMBA/gasgas.exe

| action=Open folder to view files using Windows Explorer

| icon=SEVEBOMBA/gasgas.exe

| Shell\open\command=SEVEBOMBA/gasgas.exe

| shell\open\command=SEVEBOMBA/gasgas.exe

| USEAUTOPLAY=1


| sorry I did not mentioned it before -I have NIS 2010 and when I checked the
| details of the infected files the drive letter was my external drive;
| last time it was my photocamera SD card which I read using usb card reader
::)) unbelievable! based what I read - the new host transfers malware to
| all usb drives used on this PC and then usb drives are plugged in into the
| new PC's which receive the package and so on;

| I was thinking that maybe in enclosure's electronic components there is
| place for some software/malware - if it is not the case I have to recall
| where else I plugged in my either SD card or ext SATA


Yes, what you describe is indeed an AutoRun worm.

There is NO place on the electronics in the SATA --> USB (or EIDE --> USB) circuity for
malware to be stored or transferred to a PC.

If you were infected with an AutoRun worm then it was either received by inserting a USB
Mass Storage Device that had an AutoRun worm and thus infected the PC. Additionally when
any USB Mass Storage Device was subsequently inserted into the USB port, it too would
have the AutoRun worm placed on it. The other possibility is you had a trojan dropper
that dropped the AutoRun worm on your PC obtained via the Internet.

In any case...
I have no respect for NIS 2010 as Symantec AV just isn't that good. A better solution
would be Avira AntiVir. However barring replacing NIS 2010 and no matter what you do you
need to scan the PC with another anti malware product or two as werll as scan and *any*
all USB Mass Storage Devices. You also should disable AutoPlay/AutoRun on the PC.


BTW: What did Symantec call this AutoRun worm ? (something like; W32/SillyFDC ?)

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


From: lesio family on 29 Apr 2010 21:34
Dave , thank you very much for confirming/clarifying my questions
I already disabled autorun (I hope) - in my registry - I can not find the
string right now but I repalced key value 91 with b5
I will closer at Avira
thanks again

--
lb
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:uAD%23xe05KHA.5548(a)TK2MSFTNGP04.phx.gbl...
> From: "lesio family" <blm333(a)rcn.com>
>
> | I understand that technically usb drive is a carrier which when plugged
> into
> | a PC "infects" the new host PC - win OS automatically runs autoexec
> files in
> | usb drives which executes the malware
>
> | example from my case:
>
> | [autorun
>
> | "sA����������Z�����ZOS�l??Dsla??DFAKFP?WQlf?WQKF?WQklWQ?
> |
> k�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
>
> | open=SEVEBOMBA/gasgas.exe
>
> | action=Open folder to view files using Windows Explorer
>
> | icon=SEVEBOMBA/gasgas.exe
>
> | Shell\open\command=SEVEBOMBA/gasgas.exe
>
> | shell\open\command=SEVEBOMBA/gasgas.exe
>
> | USEAUTOPLAY=1
>
>
> | sorry I did not mentioned it before -I have NIS 2010 and when I checked
> the
> | details of the infected files the drive letter was my external drive;
> | last time it was my photocamera SD card which I read using usb card
> reader
> ::)) unbelievable! based what I read - the new host transfers malware to
> | all usb drives used on this PC and then usb drives are plugged in into
> the
> | new PC's which receive the package and so on;
>
> | I was thinking that maybe in enclosure's electronic components there is
> | place for some software/malware - if it is not the case I have to recall
> | where else I plugged in my either SD card or ext SATA
>
>
> Yes, what you describe is indeed an AutoRun worm.
>
> There is NO place on the electronics in the SATA --> USB (or EIDE --> USB)
> circuity for
> malware to be stored or transferred to a PC.
>
> If you were infected with an AutoRun worm then it was either received by
> inserting a USB
> Mass Storage Device that had an AutoRun worm and thus infected the PC.
> Additionally when
> any USB Mass Storage Device was subsequently inserted into the USB port,
> it too would
> have the AutoRun worm placed on it. The other possibility is you had a
> trojan dropper
> that dropped the AutoRun worm on your PC obtained via the Internet.
>
> In any case...
> I have no respect for NIS 2010 as Symantec AV just isn't that good. A
> better solution
> would be Avira AntiVir. However barring replacing NIS 2010 and no matter
> what you do you
> need to scan the PC with another anti malware product or two as werll as
> scan and *any*
> all USB Mass Storage Devices. You also should disable AutoPlay/AutoRun on
> the PC.
>
>
> BTW: What did Symantec call this AutoRun worm ? (something like;
> W32/SillyFDC ?)
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>


 |  Next  |  Last
Pages: 1 2
Prev: New Net Patch
Next: Is MBAM is a 100% safe application?