Was hit by a virus attack couple of days ago. Have just (more or less) got most of the software back in and my laptop back to a functional state.

Read on to hear my experience of it.

The vector appears to be a USB Flash Drive that was used to retrieve documents off an infected machine in my company. Apparently, it wrote an infected executable into the drive as well as a helpful autorun.inf pointing to it.

Unknowingly, I inserted it on my laptop, and the rest is, as they say, history. I did in fact have an anti-virus software - AVG Free, installed. However, it was hopelessly outclassed by what I later found to be a payload with a rootkit component using F-Secure’s BlackLight rootkit scanner.

Killing the suspicious processes that were mushrooming, as expected, proved to be an act of futility. Anyway, new trojans and malware appears to be simultaneously being downloaded and run as well - faster than anything myself or AVG Free could do to prevent. After 5 minutes, I quickly rebooted into Safe mode.

In my mind, my Windows XP installation was already irrecoverably thrashed. However, I was in safe mode, and things seemed to have calmed down somewhat. There, I did remedy work with Autoruns so that i could do some proper backup. The logic is that if I could eliminate all the entry points of the virus using this nifty tool, I might buy myself some time.

Anyway, I was able to get back into Windows after that to do my backup. The visible process list held steady. It was certainly tempting to think that the infestation has been subdued, but BlackLight, even though it detected a rootkit using what appears to be a simple directory-hiding technique, was unable to complete. It kept crashing halfway into the scan.

A full antivirus scan revealed what was probably the reason for that. Not only were sores of JPG files identified as infected (By what I’ll imagine as the ANI vulnerability), key system DLL in Windows have been detected as being modified. Now, whilst I would certainly not be able to circumvent loading these DLLs, I could theoretically have replaced them with the same files from a known healthy system.

However, as I pointed out, in The Death Of the Anti-Virus Software, there is no way that I can be even remotely certainly that no other aspect of my system has been invisibly corrupted. I had no other option, but to embark on a time-consuming reformat.

Anyway, my system is now up again.

Needless to say, I have now manually disabled all forms of autorun. You can do so too with Tweak UI application, which is part of the PowerToys suite of software from Microsoft.

Download the application, and run it. It is a no-frills executable that will launch without any installation procedure. From the “My Computer” option, select “AutoPlay -> Drives” and de-select everything from “A” to “Z”. Under “AutoPlay -> Types”, be sure to de-select both Autotply for CD/DVD drives as well as removable drives as well. Once done, click on “Apply”, and you’re done.

Have a nice day, and do remember to backup often.

Comments RSS

You must be logged in to post a comment. Free Registration »