How can a flash drive spread a virus?

How can a virus be spread from a USB flash drive besides the autorun.inf?

Can boot sector viruses infect thumb drives?

unknown (google)

Posted 2010-01-09T15:36:05.190

Reputation:

I added the [windows] tag because autorun.inf applies only to Windows. – Ben N – 2016-02-01T17:57:53.837

– Scott – 2017-05-06T22:04:42.690

Answers

There must be something that launches the virus, and there's no common way except for autorun.inf. Bootsector is read only on system boot, not when OS is operational.

That means if autorun.inf is disabled – you can relax unless no virus/useful-software enables it back again, or you run it manually :)

UPD: Sometimes a bug is found in some data-processing software: image/PDF viewers, video codecs, etc. If the bug allows to execute arbitrary code, a virus can enter your system inside the thumbnails generation process: this happens when a virus is hidden within some file's data in a way so it's executed by the buggy decoder. It's a rare case, however. Just keep your OS/software/libraries up to date and you're more or less secured :)

kolypto

Posted 2010-01-09T15:36:05.190

Reputation: 2 861

Danger! The existing answers make it sound as if disabling autorun.inf makes it perfectly safe to insert untrusted flash drives. That is false.

First up, once an attacker can run code on your machine, it isn't your machine anymore, and anything could happen. One possibility (if you're running as administrator, or if the virus leverages an elevation-of-privilege vulnerability) is that it rewrites your boot sector.

In the golden age of flash drive viruses, they were indeed mostly spread by rewriting the autorun.inf of new drives. There's also the possibility, however, of modifying programs or documents on the drive to do bad things. Again, once you run a malicious program, it's effectively game over; it doesn't matter how it started running.

The most treacherous way of hijacking flash drives, however, is to rewrite their firmware. Several models of flash drives support reflashing, and it could be done automatically with a little effort on the part of the virus writer. Changes to the firmware could cause the USB device to enumerate as a keyboard and type things into your computer that result in the execution of bad stuff. (Windows+R, http://dubious.bad/pwn.exe, Enter anyone?) There are devices on the market specifically designed to allow this, but reflashing can turn good devices bad.

So yes, there are non-autorun.inf ways for flash drive viruses to ruin your day.

Ben N

Posted 2010-01-09T15:36:05.190

Reputation: 32 973

Not sure if it's related, but I once found an autorun.exe in my USB drive that can't be seen by XP but was visible on Vista. Of course, I set the options to show everything (hidden and system files).

BTW, doesn't this belong to superuser?

RichN

Posted 2010-01-09T15:36:05.190

Reputation: 387

Many games have autorun.exe on its CD :) Nothing works without an .inf file. You may have deleted it – kolypto – 2010-01-09T18:08:15.647

It's not a CD. It's just a drive with no executables. Not even a reason to have .inf file there. – RichN – 2010-01-10T06:28:25.383

I have seen a few ways.

The most common is the autorun.inf way to install an application.

The next one which I haven't seen in a while is one that creates pictures or random files similar to picture.jpg.exe in order to trick you to run.

Lastly, I have seen ones that simply create vulnerable files that take advantage of 0-day hacks in programs such as Acrobat Reader.

It doesn't usually just infect, what happens typically is if it is on your machine, it will typically look for any removable media and copy itself, then it can be completly idle on another machine - but once run, it will do the same and try to infect any inserted media.

Once infected, who knows - the infection method is to do the above, the actual virus could do anything from steal passwords down to making you part of a botnet.

William Hilsum

Posted 2010-01-09T15:36:05.190

Reputation: 111 572