Malware invaded USB flash drive

I work on lots of malware/virus infected PCs on a regular basis. I also use my USB flash drive on these PCs on a regular basis. I have often wondered if a virus could jump on to the flash drive, but in over 2 years of use, it had never happened, until a couple days ago. My flash drive has an abundance of excellent tools for malware removal, PC maintenance, process management, and the like, so I use it on almost every PC I work on. I don't know which PC I plugged it into that infectd the drive, but at one point I plugged it into a PC and got an error message that "autorun.exe had encountered an error" and I though to myself "there's no autorun.exe on the drive" but I didn't think about it too much and chalked it up to the fact that the PC was jacked up (it was really jacked up). So I continued along happily... I plugged it into another PC and got the same message. The next few PCs I plugged it into, the message didn't come up so I kind of forgot about it. Then I got home and plugged it into my personal home PC, my refuge, my 'baby', and instantly AntiVir popped up and Online Armor popped up telling me that "autorun.exe" was infected. I started freaking out! I tried to delete the file through Windows Explorer, couldn't do it. AntiVir and Online Armor are screaming to block/delete the file. The couldn't delete it, but it was blocked temporarily, Windows firewall even popped up asking if it should be blocked or not. I was really freaking out. I tried to open a command prompt to delete the file from there and I got the message "cmd.exe is not a recognized.... choose a program to open cmd.exe with".... I tried msconfig to see if the malware had added itself there; again the message "what do you want to open msconfig.exe with?". At this point I totally freaked out, hit the PC reset button and yanked the USB drive. All of the above took less than 90 seconds. During that time AntiVir had opened probably 15 warning windows for "autorun.exe". So I hit reset, started the PC in safe mode, and ran full scans. Everything was clean. I emptied the system restore cache, and ran several file cleaners (like CCleaner) to make sure nothing had jumped in as a .tmp file which many of the newer malwares seem to do these days. I then warily plugged in the USB drive, and promptly deleted "autorun.exe" and it's companion "autorun.inf". I may format the USB drive today, I haven't decided yet. I rebooted in normal mode, and noticed that some things were missing from the system tray; the AntiVir icon, my NVidia control panel icon, the Comodo BOclean icon, basically everything that wasn't put there by windows. I checked the processes and the programs were loaded and running, they just had lost their system tray icons. I was able to fix all of those (except the nVidia icon which I never used anyway). Another couple of full AV scans later (again all was clean) and everything is OK. I have not plugged the USB drive in again yet; I'll do that at work on a PC I can reformat if needed. I'm not in need of help here, I'm just passing along a story which may be of interest to some of you. This appears to be either a new virus/infection, or a fairly old one. I had never seen this particular type of infection before. When a storage device is installed in a PC (external hard drives, flash drives, even CD discs) Windows looks for an "autorun.inf" file that tells Windows what to run when the device/disc is inserted. The .inf file usually has one or two lines of "code" and the main action commonly looks like this:
open = autorun.exe
Basically, it tells Windows: "when this device/disc is inserted, run the program called 'autorun.exe'". The malware I had dumped both the .exe and the .inf on the drive, so every time the device was plugged into any PC, the autorun.exe would launch. Luckily, it didn't run successfully on most PCs, and the PCs where it did run were fully scanned and cleaned after the drive had been removed, so they're all clean. Anyway, I guess I do have question after all of this.... How do I protect my USB drive from this happening again? Is there a way to write protect it so that any new file that attempts to get saved to the drive will pop up a prompt for permission?

Thanks!

 

Thanks for the link.... very informative. It describes the exact same scenario I dealt with where the worm wrote an autorun.inf and .exe to the USB root so it would run every time I inserted the drive. I was thinking.... couldn't I create my own autorun.inf and .exe and set them to read only, that way if another virus tried this same attack, the files would be there already as read only, and a request would pop up for "do you want to overwrite this file?". I'm going to research it a bit and see what's up....

Thanks again.

 

Think their was a thread about this awhile back but sorry I can't remember who posted it.

 

*there and think it was in malware forum.

 

ouch i get these malware PC every day, most having weak pop up adware like starware, googletoolbar & ect

i have never had crapware come from those PCs to mine......YET