I found a USB thumbdrive, plugged it in and now my system won't work. What happened?

Search First! Then browse: Categories | Full Archive | By Date | Newsletter

Home » Hardware » USB and 1394 Interfaces

Summary: USB Thumbdrives or flash drives are a non-obvious but easy way to spread malware. You should be quite careful when dealing with an unknown device.

One day I found a USB thumbdrive and I plugged into my computer. After that I couldn't do most of the stuff on my computer, I couldn't open Help and support center, run MSN, Yahoo messenger, other installed programs, system restore, Internet Explorer. Do I have malware or something of that sort?

Yes, I'll bet you do.

I wanted to address this question because it's not all that obvious to most people that plugging in an unknown USB device can be dangerous, to say the least.

And it's one of the reasons I almost always turn off "autoplay".

•

I vaguely remember an anecdote about a security test performed where USB thumbdrives were left outside around a corporation, as if they'd been mistakenly left behind somehow. Each was infected with some relatively benign malware that would alert some remote site that the drive had been picked up and inserted.

Something like over 50% of the thumbdrives were plugged in and their malware installed.

The lesson is clear: if you want to infiltrate a random corporation, put malware on a number of thumbdrives and drop them around the company's headquarters.

On the other hand, if you're that corporation, you want to make sure that at a minimum your employees are alert to the danger.

"Lesson: don't plug in thumbdrives ... that you're not certain of."

So what's happening here? What is that danger?

In a nutshell: autorun.

You've probably seen it: when you insert a CD-ROM, for example, quite often a program will run automatically. You'll typically see this in product setup CD-ROMs. Encoded on the CD-ROM are a couple of special files that say, in effect, "when the disk is inserted, run this program".

The same is true for USB thumbdrives. They, too, can have auto-run ability.

And to make matters worse, autorun can happen silently.

So it's very simple: a malware author simply creates a USB thumbdrive with malware, and sets it up to auto-run and install the malware silently when the thumbdrive is plugged in. You'd never know until you scanned for viruses or spyware or, as in your case, things stop working as they should.

Lesson: don't plug in thumbdrives (or any "removable media") that you're not certain of. Treat them just like downloads, if you can and at least scan them first.

So how do you scan them if you can't safely plug them in? Turn off auto-play. Once you've done that you can safely insert the device and examine its contents or run anti-malware scans.

Or you can just decide it's not worth the risk, and discard the drive. They're cheap these days, and a malware infestation can be pretty expensive.

Assuming you did decide to look, once you're satisfied that it's safe you can do whatever autoplay would have done by opening the file "autorun.inf" at the root of the drive in notepad and examining the "open=" line.

Most of the time that'll be a setup program, also at the root of the drive.

But as a rule of thumb (no pun intended), I disable auto-play on all my drives. Not only do I find auto-play often annoying, but as you can see there can be significant security risks if you're not careful.

Related:

Ask Leo! - How do I *really* disable auto-play in Windows XP?
Ask Leo! - Can a USB thumbdrive "wear out"?
Ask Leo! - Should I defragment my USB Flash drive?

Article C3319 - March 13, 2008

Recent Comments

9 Comments

Hey Leo,

That autorun article is great. But could you make one on how to disable autorun in Windows Vista for the Vista users.

Thanks Leo and keep up the great work.

Posted by: Dan Warrener at March 14, 2008 6:33 PM

Hi Leo,

Unfortunately this question didn't come early enough to put me on guard. What you're describing happened to me couple of weeks ago and gave me a Trojan Backdoor.win32.Rbot. Later I found the autorun file on my USB/Mp3. I'll try to disable autorun as you mentioned.

But CD-ROMS and DVDs are safe, aren't they? Malware can't launch from them... or am I mistaken?

Thanks

Posted by: 'Leo fan' at March 14, 2008 8:03 PM

Why would ANYBODY put a USB thumbdrive anywhere NEAR their computer if they didn't know what was on it??? The scabs that write all these viruses LIVE for people like that!

Posted by: Carl R. Goodwin at March 14, 2008 8:34 PM

Thankfully Vista won't autorun anything without first prompting.

more info: http://www.worldstart.com/tips/tips.php/3732

Posted by: Chris Buechler at March 15, 2008 11:26 AM

To "Leo fan":

Of course malware can be launched from CDs and DVDs, if there is malware on the media.

Use your favorite search engine and look up "sony rootkit" for a rather infamous example.

Posted by: Ken B at March 17, 2008 10:09 AM

what is the future of pen drive

Posted by: tareq at July 13, 2008 12:04 PM

Great article, Leo. There are some good questions and responses here. I just wanted to add my two cents worth.

It turns out that many people (about 40%) will put an unknown device into their computer, just to see what's on it. I have the evidence, which I have summarized at my site, The Honey Stick Project, at http://www.honeystickproject.com. The site was inspired by the penetration test you mentioned above, and is intended to raise awareness about the risks of using mobile devices, in general.

The technique I use in the project can be useful for measuring the level of security awareness and safe computing habits in an organization. Please drop by and give me your comments.

One other note: As indicated in one of the related article links above, it is possible for a device to be configured to trick a system into bypassing autorun, depending on your system. I have some notes about this on my site, also.

Fascinating site, Scott. Thanks!

- Leo
22-Sep-2008

Posted by: Scott Wright at September 21, 2008 8:34 PM

Some public libraries check out thumbdrives to their patrons. Apparently they don't always check to make sure the drive has been wiped clean by the previous user.
In my case the leftover files were benign to me, but the previous user probably wouldn't be too happy to know his resume and rehab history were left on it for anyone to see!

Moral: make sure the flash drive has been wiped clean before you use it OR return it.

Posted by: Kim at September 30, 2008 11:49 AM

Sir actually i m doing one software. It must be run the program from thumb drive .
so i dontknw the autorun file.inf

Posted by: kuhan at October 19, 2008 6:32 PM

Post a comment on "I found a USB thumbdrive, plugged it in and now my system won't work. What happened?":

Name: (Required) Email Address: (Required) (Email Address will not be published.) Remember Me? YesNo	By popular demand... my tip jar Buy Leo a Latte!
Comments: (you may use HTML tags for style)	Subscribe to the RSS Feed specifically for comments on this article.

Before commenting, please...

Read the article at the top of this page. If your comment shows you didn't, it'll be deleted and ignored.
Comment only on this article. Use the Google search box at the top of the page if you have a question about something else.
Don't include personal information in the comment. No email addresses. No phone numbers. No physical addresses.
Don't ask me to recover lost passwords or hacked accounts. I can't, and those comments will be deleted.

I can't respond to every comment. And I can't vouch for the accuracy of others who do.
Read Why didn't you answer my question? for hints on getting an answer.
By posting a comment you agree to the Terms of Service. Don't agree? Don't post.
Read the article at the top of this page. If your comment shows you didn't, it'll be deleted and ignored. Yes, I'm saying this twice; you'd be amazed.

Please wait. Your comment is being processed ...