Those of us who have been around for a long time remember when viruses were primarily jokes that were distributed via floppy disks. This was often referred to as the “Sneaker Network”. I have recently seen a few viruses that seem to transmit only via removable storage (USB, Camera, smart phone, etc), which is the newer version of the floppy drive sneaker network. What I saw: (NOTE: Antivirus did not catch this, but I observed network traffic trying to call home to known bot-network’s Command and Control servers) In 2 separate incidents I found the virus was launching from removable storage (USB drive, and a camera). The devices were allowed to autoplay which launched the autorun.inf file, which in turn launched the malware from a specialized folder. Autorun.inf pointed to an executable file in a folder that, from Windows Explorer, appears to be the recycle bin and when you try to open it from Explorer you are redirected to the Recycle Bin. Screenshot of an example folder (that I created) and the actual Recycle Bin An here is the screenshot when viewed through DOS Sample contents of autorun.inf: [autorun ;s?Tj?Xëú open=ggggg/virus.exe ;õ??mRC)???ù? icon=%SystemRoot%\system32\SHELL32.dll,4 ;??A}OëÊMb? action=Open folder to view files using Windows Explorer ;LkdÏOF shell\\open\command= ggggg/virus.exe ;?Zf]???Mé shell\explore\\command= ggggg/virus.exe ;?s??çt?? useautoplay=1 ;?øüÌ????àÒY? [AutoRun] Contents of ggggg\Desktop.ini: [.ShellClassInfo] IconFile=%SystemRoot%\system32\SHELL32.dll IconIndex=32 CLSID={645FF040-5081-101B-9F08-00AA002F954E} The “CLSID=” corresponds with the Recycle Bin. Information taken from Microsoft at: http://msdn.microsoft.com/en-us/library/cc144096(VS.85).aspx Notice that the autorun.inf will launch virus.exe. This process “hooks” itself into Explorer.exe which makes it difficult to remove. Removal: Launch Task Manager and a command prompt Kill the all Explorer.exe processes
Regarding this issue... rather than we reformatting the drive, my suggestion would be disable the autorun and delete the autorun file and try to use some tools like Icesword to remove that infected file.....