ERROR: File not found: C:\MS32DLL.dll.vbs.
* This was over a year ago, so the actual error message might've been slightly different. I'm just writing it from memory.
Now this looked really suspicious for multiple reasons:
1) Windows by default hides extensions to known file types. This means that the file would normally show up as MS32DLL.dll, which would appear to be a legitimate file.
2) The .vbs extension is for VBScript files. What is a VBScript file doing in the root of the hard drive?
3) Why is Explorer trying to execute it when the drive is opened?
I right-clicked on the C: drive, and clicked "Explore". Sure enough, after enabling showing hidden and operating system files, there were two very suspicious-looking files: autorun.inf and MS32DLL.dll.vbs.
Autorun files are only supposed to be used in removable media, like installation CDs. The fact that this was on the hard drive was incredibly suspicious. I deleted it, and opened the VBS file in Notepad. Of course, it was malicious. Using Windows API registry functions, it enabled the Autorun feature and copied itself onto every drive on the system every two minutes, and set itself to be executed on every startup. It also modified the user's home page, among other annoying things.
So, basic lesson to learn from this:
1) DISABLE AUTORUN. This will stop a lot of viruses from spreading from one drive to the other. You can do this by opening regedit.exe and modifying the following key:
There should be an entry with the name NoDriveTypeAutorun. Set it to 0x95 to disable autorun on everything but CD drives, or 0xB5 (the letter 'B', not the number '8') to disable it on all drives.
Note: the following menu commands are for XP and previous versions. Vista has a different menu, which I forget at the moment. I'll edit this as soon as I find it.
2) Enable viewing hidden files. In Explorer or My Computer, go to Tools > Folder Options > View and select "Show hidden files and folders." If you want, you can disable hiding operating system files as well, but I don't really think it's necessary unless you suspect you have a virus.
3) Disable hiding file extensions. You have no idea how many viruses depend on this for hiding, especially email viruses. Again in Explorer or My Computer, go to Tools > Folder Options > View and uncheck "Hide file extensions for known types."
5) Keep a close eye on what you stick in your computer. If you're sticking in a questionable flash drive, check the root directory first either through the DOS prompt or Explorer, not My Computer, as it will execute whatever autorun script is there.
Edited by dargueta, 29 August 2009 - 08:23 AM.