Tuesday, June 12, 2018

usb flash drive contents replaced with a single shortcut


I was confused when I opened my flash drive all I saw was a shortcut with its target as



C:\Windows\system32\rundll32.exe ~$WO.FAT32,_ldr@16 desktop.ini RET TLS " "



You may refer to the images I uploaded below. It shows the contents of the flash drive. The command prompt shows the hidden contents. You can see there that there is a with a blank name. It contains the contents of the flash drive. That directory also has a desktop.ini inside it with these as contents.


[.ShellClassInfo]
IconResource=%systemroot%\system32\SHELL32.dll,7
IconFile=%SystemRoot%\system32\SHELL32.dll
IconIndex=7

Unlike the first desktop.ini (found at the root of the flash drive). It has some kind of binary contents which frankly I don't know how to paste here. So I just uploaded the contents of the flash drive here. So you can view it yourself.


Another weird thing is the autorun.inf (which has only 0 bytes) is being used by the wuauclt.exe. You may refer to the second image below.


Has anyone experienced this too? I already did tried reformatting and reinserting the flash drive but still no luck.


contents of flash drive


autorun is locked


I hashed the desktop.ini (the binary-like one) and searched for it. It pointed me these links which was just posted a few days ago.


http://www.mycity.rs/Ambulanta/problem-sa-memorijskom-karticom-3.html


http://www.mycity.rs/Android/memoriska-kartica_2.html


desktop.ini (binary) d80c46bac5f9df7eb83f46d3f30bf426


I scanned the desktop.ini in VirusTotal. You may see the result here. McAfee-GW-Edition detected it as a Heuristic.BehavesLike.Exploit.CodeExec.C


I viewed the handles of wuauclt.exe in the Process Explorer and saw the autorun.inf is being used by the exe. You may also notice that a file from the temp folder is opened.



AppData\Local\Temp\mstuaespm.pif



Here is the scan of that pif file from VirusTotal. Here is an online copy of the PIF file and lastly, a random file that was generated after I ran the PIF file (I used sandbox).


wuauclt


Answer



I successfully removed it a few days back already. Though I just posted this one right now. Here is how I removed the backdoor from my computer.


http://blog.piratelufi.com/2013/02/usb-flash-drive-contents-replaced-with-a-single-shortcut/


Just realized that the question itself is not a very good question. It is something more of a topic for discussion. Thanks for the 'protection' though.


No comments:

Post a Comment

hard drive - Leaving bad sectors in unformatted partition?

Laptop was acting really weird, and copy and seek times were really slow, so I decided to scan the hard drive surface. I have a couple hundr...