USB Infection with .JS Files

OptimusPrime

New Member
Thread author
Verified
Sep 9, 2013
27
Hi all,

Has any seen this one floating around? When a USB is inserted in a machine all the files and folders turn into shortcuts and a hidden folder with .js files is created on the USB as well as the machine.

There are a tonne of ways to remove it but nothing really to totally prevent it from happening. Having trouble finding what the actual source is and what's creating the js files.

Regards
 

Littlebits

Retired Staff
May 3, 2011
3,893
What version of Windows did this happen on?

I'm thinking it had to be Windows XP because USB autorun is disabled by default on Vista, Windows 7 and 8.

The user would have to manually open the USB in Windows Explorer and manually run the infected file in order for this to happen on modern Windows.

Just connecting the USB device on modern Windows would not cause an infection unless the user has manually changed USB autorun settings or failed to apply Windows Updates that disabled USB autorun function.


Thanks. :D
 

OptimusPrime

New Member
Thread author
Verified
Sep 9, 2013
27
Thanks you for your reply :)

This is on a Windows 7 in an enterprise environment, Autoplay is on but Autorun is disabled via group policy.

It's a very odd occurrence and has McAfee support team stumped as well. Hopefully a remote session with their engineer will give us more information.

It's very discreet in how it happens, user will plug a USB into a machine and when they access the USB they see all their folders have been modified. The user doesn't actually execute anything which makes it really odd.

I'll hopefully have some more information soon.
 

avkom

Level 3
Verified
Well-known
Jul 29, 2013
111
Did you open Windows Explorer to browse the files in USB? Probably cpl icon loading vulnerability http://technet.microsoft.com/en-us/security/bulletin/MS10-046
 

OptimusPrime

New Member
Thread author
Verified
Sep 9, 2013
27
Yes I'm sure the users would have done that. McAfee have just remoted in and also found a scheduled task that recreates the .js files if they are deleted. Thanks for the MS Article, it's looking like that at the moment.
 

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
You probably thing about this infection --> http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AJS%2FProslikefan.C#tab=2

Next time use MCShield, and you will certainly be protected against such threats :)

MCShield Anti-Malware
 

OptimusPrime

New Member
Thread author
Verified
Sep 9, 2013
27
Thanks, that sounds a lot like it. We are using McAfee VSE which was unable to pick up the worm from running. Should have an update that can soon hopefully it deploy mc2shield.
 

Littlebits

Retired Staff
May 3, 2011
3,893
OptimusPrime said:
Thanks you for your reply :)

This is on a Windows 7 in an enterprise environment, Autoplay is on but Autorun is disabled via group policy.

It's a very odd occurrence and has McAfee support team stumped as well. Hopefully a remote session with their engineer will give us more information.

It's very discreet in how it happens, user will plug a USB into a machine and when they access the USB they see all their folders have been modified. The user doesn't actually execute anything which makes it really odd.

I'll hopefully have some more information soon.

Possibly one of the users did run an malicious executable file and if on a shared network, it infected other systems. Another possibility is one of the systems on the share network was already infected and the malicious file copied itself to the USB device, which means the infection did not originate from the USB device. With auto run disabled it would be impossible for a malicious file to run on its own. Someone had to execute the process.

Anyway I would definitely recommend MCShield to users that regularly connect unknown USB devices.

Thanks. :D
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top