Ran into my 1st USB virus yesterday

So,

I don't know if you guys know, but I do computer helpdesk work for a living. I have been doing it for almost a full year now. Yesterday, a user called up saying they couldn't access their thumb drive. This is not out of the ordinary as we have several network drives that take up drive letters, preventing thumb drives from being recognized. Usually changing the drive letter in Disk Management does the trick.

However, this incident was different. When the user inserted the thumb drive into the port, autoplay would come up and she could open the folder through that method. However, if she closed the window and tried to open or explore the drive from My Computer later on, it would pull up a "Open With" window, but would never allow her to save it as "Always use the selected program" with windows explorer (what I used). So, I knew at this point, something was wrong. And my first assumption was that there was an autorun.inf file causing problems. But it was hidden as a protected operating system file. Upon unhiding and opening the autorun file, it referenced a random exe file name m9ma.exe and had all sorts of gibberish in it. I knew at this point that this was some sort of malware. I looked throughout the drive for that executable file but could not find it. So I figured Symantec might have detected and removed it. And it did, it was in Symantec's quarantine from earlier in the day when she first tried to use the thumb drive.. It recognized the virus as W32.Gammima and quarantined it appropriately. However, the autorun file itself was NOT a virus so Symantec did not quarantine it but the file was still causing havoc. To fix this, I deleted the autorun file, removed the thumb drive and inserted back; everything was back to normal.

Crazy!

Symantec: W32.Gammima Summary

Have a look at:

http://siri-urz.blogspot.com/2009_02_01_archive.html

SmitFraudFix :

http://siri.urz.free.fr/Fix/SmitfraudFix_En.php

How is this relevant???

Below is a discussion on autorun.inf and I also use Flash Disinfector on all my drives.

Quietman Over At Elder Geek's

Diskheal is an app that can set drives back to default settings after an infection.

Both Flash Disinfector and Diskheal get hits over at Virus Total but I have been told that they are false positives.

Flash disinfecter is very good. Its what we use in the malware removal community when dealing with USB infections.