Cleaning malware while travelling: A case study

I have been on the road for the past few months and using plenty of Internet Cafes for all my digital endeavours. As I result the USB sticks I use to save my pictures, documents etc while I travel have been infected with all sorts of malware.

Malware that is obvious is the least dangerous kind. It means its creators are not organised or skilled enough. The truly worrisome malware is invisible. You don´t know you have it, but it quietly monitors all your actions.

So I was intrigued when my USB stick started displaying typical silly malware behaviour. The folder icons in Windows changed – they were not “shortcuts to folders”, but really they pointed to executables somewhere deep in System32 that would do its nastiness and then show you the contents of the intended folder. Other than that, everything looked normal.

Well, it was obvious malware was there and the USB stick was infected. Antivirus software installed in public Internet Cafe PCs could not detect or clean it, so I had the pleasure of doing it manually. Here is how:

  1. Get a system you can trust not to lie to you – to show you the absolute truth and nothing but the truth. A pristine Linux installation does just that, and unless you happen to have a netbook with Linux installed with you while travelling, creating a bootable Ubuntu Linux CD or USB stick is your best bet. The computers I had access to were ancient and could not boot (start) from a USB stick, so I had to create a bootable Ubuntu CD following the steps detailed at http://www.ubuntu.com/download/ubuntu/download
  2. Now you are using a computer you can trust. Plug in the infected USB stick. You will probably see all sorts of new files there, stuff you haven´t put there. Delete it one by one. In my case I had filenames starting with “._”, others starting with dot-space, all sorts of tricks that will make files harder to view and control in Windows or Macintosh machines. After you have deleted all files that don´t belong to you, check for an autorun.inf that tries to execute the malware when the USB is connected to a computer. If it´s there, either edit out the malware items or simply delete it (which is what I did).
  3. Next, I had a surprise waiting for me as I connected the now clean USB stick to a Windows computer – I could still not see my original folders! The reason is that the malware had hidden the folders by changing their attributes to /system and /hidden – so Windows Explorer does not display them by default. This can be corrected from a Command Prompt (Start -> Run -> cmd) by changing directories onto the USB stick and using the “attrib” command. My original folders were “pics”, “stuff”, “maps”, “portable”, “truecrypt”  etc so I issued the following commands to mark them as NOT hidden and NOT system folders:
  • attrib -H -S /D /S pics
  • attrib -H -S /D /S stuff
  • attrib -H -S /D /S maps
  • attrib -H -S /D /S portable
  • attrib -H -S /D /S truecrypt

Et voila! All was visible, usable and normal again.

Goodbye silly piece of malware!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s