Detecting a USB drive infection before viewing its contents

Nowadays, most of the viruses/worms spread via USB drives. So, now if your USB drive is infected and if you double-click it to open it… BOOM the virus enters your drive. Unless your AntiVirus is updated till date, you don’t have any means to identify whether there exists an infection in your USB drive. Even if your AntiVirus IS updated, chances are that the virus/worm is a new one and your AntiVirus doesn’t have any record of it. So how do you decide whether your USB drive’s infected or not without relying on your AntiVirus??

  1. Download/create/extract an icon (*.ico) file. One nice site for getting cool icons is www.iconspedia.com
  2. Open notepad and write the following code in it :
    [autorun]
    icon=XXX.ico

    where, “XXX” is your icon file’s name.

  3. Save it as “autorun.inf
  4. Copy the icon (from step 1) and the autorun file (from step 2) in your USB drive (assuming it is not infected).
  5. Set their attributes to ReadOnly and Hidden so that you don’t accidentally delete them.
  6. Disconnect and reconnect your USB and check whether the icon appears or not. If it doesn’t, the icon names in the code and of the file probably don’t match or you haven’t saved the code as a “.inf” file.

Now, when your USB gets infected, the icon will disappear (or will be changed). This is because for the virus/worm to spread itself into the hard drive, it has to create an “autorun.inf” file. This file modifies the existing one.. thus preventing the icon and telling you about the infection. So, now instead of double-clicking to open the drive, open it by View –> Explorer bar –> Folders option in the menu after scanning it. Also make sure to put the original autorun file back in the drive.

Plain and simple… isn’t it??

Advertisements

Posted on May 9, 2009, in Fiddles and tagged , , . Bookmark the permalink. Leave a comment.

Leave a comment...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s