Preventing The Spread of Portable Viruses

Last week I posted about svchost.exe, an amateur, but nasty virus that spreads by copying itself to flash drives and making other computers hosts, if not fully infecting them. Luckily for you guys, I’ve kept my copy in a sandbox and poked and prodded it a little. I’ve found a few ways to protect your computer and your flash-drive.

First off, here’s a simply way to protect your computer: disable autorun. This has been the bane of security experts for a long, long time. If you run Windows 7, you’ll notice it has been disabled by default, but on Vista or XP you will need to do it manually. It should be in the control panel, under “autoplay.” This will stop the virus from being written to your computer.

Now to your drive. To stop certain files from being written to your flash drive, we will be creating a few dummy-files, with the same names. First of all, we will be revealing hidden and protected files. Go to tools -> Folder Options -> View. Check “Show Hidden Files and Folders,”  then uncheck “Hide Protected Operating System Files” (in Vista, you may need to press “alt” to get to the menu bar). Here is what we will be  typing into the cmd window at you will be seeing (assuming the default directory of cmd is C:\WINDOWS\System32>, the drive letter is G:\ and we are removing and replacing only svchost.exe):

C:\WINDOWS\System31\>cd..

C:\WINDOWS\>cd..

C:\>cd /d G:

G:\>del svchost.exe

G:\>mkdir svchost.exe

G:\>attrib svchost.exe +h +s +r

G:\>exit

Repeat for each file you want to block. What we are doing here is changing directories, deleting   and replacing it with a folder with the same name. You can do this with any other files. Here’s a list of suspicious files that should be blocked:

  • New Folder.exe*
  • Heap41a.exe
  • ravmon.exe
  • svchost.exe
  • autorun.inf

As previously mentioned, portable viruses can spread at work or at school. The best way to prevent it from spreading is to disable autorun on all the work/school computers. Contact your computer technician about that.

I’m working on batch scripts that will do this for you if you want. I’ll get them posted as soon as possible.

*Because of the space in this name, you will need to type mkdir “New Folder.exe”.

Advertisements

, , , ,

  1. #1 by Zack on 2010/01/18 - 21:26

    (FYI you’ve got a few typos in the first sentence)

    The thing is, autorun is NOT ALWAYS A VIRUS. Many CDs (for example CDs with games on them) use it for legitimate reasons. Installing programs, running things without needing the user to do work… There are several useful implementations.

    • #2 by Stéphane on 2010/01/19 - 19:56

      True, autorun.inf is not a virus on it’s own, but it is a little niche that a lot of portable viruses use to spread. In the end, it’s a simple matter of convenience, so it’s worth it to remove it from your drive (at least in my opinion).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: