Handling viruses (USB flash drive) and autorun.i in USB flash drive:

27 2021-08-07 11:41

Autorun.inf has existed for a long time. In other windows systems before WinXP (such as win982000), if you need to insert the CD and USB flash drive into the machine for automatic operation, you need to rely on autorun.inf. This file is saved in the root directory of the drive (a hidden system file). It stores some simple commands to tell the system what program the newly inserted CD or hardware should start automatically. It can also tell the system to change its drive letter icon to an icon under a certain path. Therefore, this itself is a conventional and reasonable document and technology.
Virus authors can use the automatic function of autorun.inf to let mobile devices "automatically" execute any command or application without the user's system knowing it. Therefore, through this autorun.inf file, you can place normal startup programs, such as various teaching CDs we often use, which will be installed or demonstrated automatically as soon as we insert them into the computer; You can also place any possible malicious content in this way.


1、 At present, the hiding mode of relevant USB flash drive virus: USB flash drive home


With the startup method, the virus author certainly needs to put the virus body into the CD or USB flash drive to make it run. However, if it is openly placed in the USB flash drive, it will be found and deleted by the user (even if he does not know that it is a virus, it will be deleted if it is not his own unknown file). Therefore, The virus will certainly be hidden and stored in a place that can't be seen under normal circumstances. One is a fake recycle bin
: viruses usually create a "recycler" folder in the USB flash drive, and then hide the virus in a deep directory. Most people think this is the recycle bin. In fact, the name of the recycle bin is "recycled", and the icons of the two are different:
The other way is to fake anti-virus software: the virus places a program in the USB flash drive and changes its name to "ravmone. Exe", which is easy to think that it is Ruixing's program, but it is actually a virus.
Some people may ask, why can you see the above files on your machine, but my machine can't? Very simple. In normal system installation, some folders and files will be hidden by default. The virus will transform itself into system folders, hidden files, etc. of course, it can't be seen under normal circumstances. What should I do so that I can see the hidden files? If you want to do it personally, follow the steps below to create a USB drive home
Step: open my computer, click Tools on the menu bar, click folder options, a dialog box appears, and select the View tab
If the USB flash drive contains the above virus, there will also be a phenomenon. When you click the USB flash drive, there will be more things:
On the left side of the figure above is the USB flash drive with virus. The right-click menu has more items such as "auto play", "open" and "browser"; On the right is the anti-virus, without these items. Note here: for all mobile media with autorun.inf, including CD, right-click to display the "auto play" menu, which is a normal function.

2、 To sum up:At present, USB flash drive viruses enter through autorun.inf;


Autorun.inf itself is a normal file, but it can be used for other malicious * operations;
Different people can place different viruses through autorun.inf, so we can't simply say what virus it is, it can be all viruses, Trojans, hacker programs, etc;
Generally, the USB flash drive should not have an autorun.inf file*
If you find that the USB flash drive has autorun.inf, which is not created and generated by yourself, please delete it and check the virus as soon as possible;
If there are seemingly recycle bin, rising file and other files, and you can confirm that the content is not created by you by comparing the recycle bin name and genuine rising name on the hard disk, please delete it;
At the same time, it is generally recommended not to double-click the USB flash drive when inserting the USB flash drive. In addition, there is a better skill: before inserting the USB flash drive, press and hold the shift key, and then insert the USB flash drive. It is recommended to press the key for a longer time. After insertion, right-click the USB flash drive and select "Explorer" to open the USB flash drive. Note:
Some USB flash drive manufacturers may also use autorun.inf for their own feature design, in order to allow users to execute the manufacturer's feature programs. It has been confirmed that some manufacturers do use this method, so it is recommended to identify the USB flash drive first or consult the sales personnel.


3、 Let's talk about the solution to ravmon.exe virus: [align = center]


Someone found a virus in her USB flash drive, and kV reported a ravmone.exe file, which is also the most classic USB flash drive virus... USB drive home
After ravmone.exe virus runs, a process with the same name will appear, and the program does not seem to be significantly harmful. The size of the program is 3.5m. It seems to be written in Python. It generally occupies about 19-20m resources. It is hidden as a system file in the windows directory and automatically added to the system startup item. The generated log file often contains different six digits. It is estimated that the account secret may be stolen
Code or something, but by
The suspected virus file is too large and generally spreads with the mobile memory.
resolvent:


1. Open the task manager (Ctrl + Alt + Del or right-click on the taskbar) and terminate all ravmone.exe processes
2. Enter C: \ windows and delete ravmone.exe
3. Enter C: \ windows, run regedit.exe, and click open on the left
HK_ Loacal_ Machine \ software \ Microsoft \ windows \ CurrentVersion \ run \, you can see that the value on the right is
c: \ windows \ ravmone.exe, delete it
4. After that, the virus is cleared.


4、 How to kill the virus in USB flash drive:


For the mobile storage device, if it is poisoned, tick off the protected * hidden in the folder option as the system file, click to display all files and folders, click OK, and then you will see the following files in the mobile storage device, autorun.inf, msvcr71.dl, ravmone.exe, and a file with the suffix TMP, which can also be deleted. After completion, The virus is cleared

However, for the above method of dealing with viruses in USB flash drive, after my personal experience, I make a small supplement: when deleting autorun.inf, msvcr71.dl and ravmone.exe, you may not be able to delete them directly. First go to process management, end ravmone.exe, and then delete these three files. If not, delete them in safe mode, That's all right.
Don't think this is a small virus. It runs unconsciously in the background. It will occupy almost 20m of your memory for a long time. It starts with the system. It will inexplicably make your computer die in silence. I believe this virus is very popular in public computers, such as schools, companies and so on. This virus can't be used to format USB flash drive, and it doesn't matter if you use a lot of anti-virus software. USB home


Generally, you can't see it. If you don't believe it, you can insert the USB flash drive into the computer, and then hook the "protected * hidden in the folder option as the system file" to have a look.. You may see three more unidentified documents, then you are caught! Check your USB flash drive sometime! Good luck! Note: if the process is ravmon.exe, it should be Ruixing's program and not a virus!
Handling viruses (USB flash drive) and autorun. I in USB flash drive:

·