My customer got a virus from a USB Drive on Windows XP.

He used the USB drive on three computers and all got infected.

We suspect the virus came on the USB drive in the shrink wrapped package. The USB drive came from China.

Normally these USB drives have a virtual CD drive and the USB drive, but this one was missing the virtual CD.

The root of the USB drive had Autorun.inf, run.exe and I think system.bat. Not sure, because I did not see the USB drive in its original state.

These files had the Hidden and System attributes so they would normally not be seen.

When the USB drive was inserted, it automatically ran the program run.exe and installed MIRC, a chat program.

This connected to microsoftupdate.yi.org.

The virus put a number of files in the root of the C drive and in the Windows folder, added registry keys and started MIRC as a service.

Stopped the MIRC service and removed MIRC via remove programs from the control panel.

MalwareBytes.com anti malware program found and removed some of the files and registry keys, but not all of them.

Sorted the root and Windows folders by Date Created (which you have to add to Windows explorer by right clicking in the header area, since normally only Date Modified is shown).

Found some other files that I deleted. The computer seems to be working now.

The root of the C drive had obvious bad files like

fukfuk.exe
kaka.exe

Here are some of the offending filenames in the Windows folder.

run.exe
system.bat
svcnost.exe

By Andrew Weitzen (c) 2010

Weitzen is the publisher of several online Internet journals including: InternetHandholding.com, DomainNames.gs, DotNetNuke.bz, Programmer.bz, Software.vg, WebHosting.vg