In yesterday's Huntsville Times Steve Campbell reported that computer viruses had nearly shut down the Huntsville City schools. Teachers couldn't use their prepared computer lessons, student attendance could not be tracked, and lunch room accounts could not be accessed because of the virus.
Update: We've now received a working copy of the virus that infected the Huntsville schools. The virus is known as "Sality". A VirusTotal report is available here:
Reported Detection of Sality.
Here's McAfee's Description of W32/Sality.AI, which was first detected August 5th. This is actually detected as W32/Sality.AG, which is described in more detail HERE. Neither version matches exactly what we are seeing. "SafeMode" is eliminated by deleting your non-primary "ControlSets" from the Registry. Registry Editing and Task Manager are disabled with keys in HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System. A kernel-mode driver being loaded in the SYSTEM.INI is responsible for blocking the execution of most anti-virus products. Editing the SYSTEM.INI can eliminate that problem. Two randomly named .exe files are placed in the current users \Documents and Settings\(user)\Local Settings\Temp. The bigger problem is that several .exe files located in \Windows\System32\ are modified so that their execution re-invokes the whole set of affairs. To make it worse, these files are then set to be invoked when other files are called, by doing things such as infecting "WinMine.exe" or "Notepad.exe" and then making it the default debugger for your system. These files will have to be recovered from safe media.
The "Sality Removal Tool" offered by AVG was written in December of 2007 and is totally ineffective against the current version of Sality in our experience. We are continuing to test other methods of disinfection. When we have more advice we'll update it here.
Virus researchers at UAB Computer Forensics have been looking at these types of viruses, called "USB Jumpers", since January and have been amazed that there hasn't been a devastating outbreak earlier.
While many viruses spread via email or by visiting infected webpages, this network spreads by network connections and via "USB Thumb Drives".
When a USB drive is inserted into a computer, the computer scans the drive for an "AutoRun.inf" file. If the AutoRun.inf file is present, the computer does whatever it is told to do.
If a stranger (or a student, in this case) gives you a USB thumb drive and you stick it into the computer, the default setting on any Windows computer is to execute that AutoRun sequence.
The way this family of viruses, which we call "USB Jumpers", works is that they modify the AutoRun.inf file to execute a copy of the virus, which is often present on the thumbdrive as a "hidden file" called "Setup.exe".
Once a computer is infected, every thumb drive inserted into that computer will be updated to also be a USB Jumper. So, if a teacher has students turn in their homework on USB sticks, the first student may give the teacher an infected thumb drive. The teacher then also gathers homework from all of the other students. As each student's thumb drive is inserted into the teacher's computer, it also becomes infected, and can now be used to spread the virus to their home computer or other teachers' computers.
Once a trusted computer on a network is infected, the infection can spread quickly to every other computer on the network, especially if an Administrator logs in to the computer. When someone with "Domain Administrator" privileges logs in to the computer, the virus on that computer now has "Administrator privileges" on the entire network. When the virus realizes it is an Administrator, it attempts to open a "network share" with every other computer on the network. If the share is successful, it will copy itself to the setup routines on the remote computer, and then close the connection.
This is especially devastating! When a computer is first infected, the infection is limited to the local machine and to USB drives inserted into that computer -- but the person who is called from the IT Department to remove the virus will almost certainly log in with "Administrator" access to remove the virus. As soon as that happens, every machine on the network can be infected within a matter of seconds.
Bringing the Virus Home
Whether you have a student in the house, or whether you have a family member who works in the school system, if they bring home a USB drive which has been used in a school computer, there is a chance that they are bringing a virus home with them as well. From there, a USB drive can easily spread the virus to Mom and Dad's work computers.
How do you stop it? Step One is to turn off AutoRun.
On your Windows computer, click "Start", then Run, and type
"gpedit.msc". This is the Group Policy Editor.
Follow the menus:
Local Computer Policy -> Computer Configuration -> Administrative
Templates -> System
Then choose the item Turn off Autoplay.
Double click it, and choose "Enabled" for "All Devices".
There is a downside to taking this action. Once this protection is enabled, CDs will not automatically try to play themselves when inserted. You will have to launch the application, or your music player, manually. If you do not use USB drives and you do like the convenience of "autoplaying" CDs you may not want to take these steps.
If you do use your USBs in stranger's computers (even at school or work!) that is a small inconvenience to pay for this level of protection.
UPDATE Regarding PIF Files
W32/Sality will write itself to USB drives using one of the following file extensions. ".cmd", ".exe", ".pif". While the advice above is effective on most copies - if the drive contains a ".pif" extension, there is further danger. Browsing a folder containing a ".pif" from Active Desktop (the default in Windows XP) is enough to invoke the virus. If you are unsure if your USB drive has a hidden .pif, go to a DOS Windows (Start=>Run=>CMD). Then do a directory listing to show hidden files. So, if your USB is on the "E:" drive, the command would be "dir e: /ah". If a hidden .pif file exists, it should be deleted.
dir e: /ah
attrib -h -s e:\badfile.pif
Interested in malware? I spoke last week at "Tech Mixer University" on the topic of "Investigating Malware". My presentation is available on my UAB Computer Forensics page.
Director of Research
UAB Computer Forensics