How to clean viruses from external drives.

I promised to provide instructions how to clean your external drives and usb keys in our blog Virus Cleanup Procedure.

An extremely common re-infection path is via USB key or external drive. Many antivirus products do protect these devices but if you were already infected, the virus has already defeated your antivirus. So read on if your infected computer had a USB key or external drive plugged in!

The most common infection is from a short cut virus. It recreates everything in your USB drive as a shortcut. You’ll be able to tell from the small shortcut arrow inside the icon. It may be difficult to notice but it’s fairly easy to clean by formatting the drive.

The other common infection route is via hidden file on the USB key named Autorun.inf. This file tells your computer what to do when you plug in a USB key. The virus adds instructions to this file telling your computer to run the virus. You can mitigate this threat by disabling automount (see cleaning instructions below).

What about more advanced techniques?

Blackhat 2014 featured a talk by security researchers who reprogrammed the USB key’s hardware to make it permanently malicious.

By infecting the USB key at the hardware level the researchers make it practically unstoppable by antivirus software. The infected device pretends to be a keyboard and mouse, devices not typically recognized by antivirus products as potentially malicious. The video demonstrates the futility of formatting the key to clean it.

This admittedly far more complicated attack should concern major organizations though the average user is unlikely to be targeted by such an advanced attack. Regardless one must always be mindful of the potential danger from infected peripheral devices.

What should I do?

Before starting the process one must analyse the organizational risk of reinfection versus the cost of a USB key.

Best option:

  1. Find a friend with a Linux computer.

  2. Ask them nicely to help you clean the virus(es) off your USB drive.

    • fdisk -l to list drives.

    • fdisk -w /dev/sdb to wipe the drive.

Windows option:

  1. Disable automount (only proceed if you know what you are doing).

    • Open an administrator command prompt and issue the following commands:

    • diskpart (a builtin disk utility that helps you manage your drives)

    • automount (determine if automount in enabled on your machine)

    • automount disable (disable automount)

    • automount scrub (remove drive letters for previously connected drives)

  2. Open Disk Management.

  3. Insert drive.

  4. Right click it and select Format…

SecurityLARG*nettristan, infosec, netsecComment