Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

I found a USB thumbdrive, plugged it in and now my system won't work. What happened?

One day I found a USB thumbdrive and I plugged into my computer. After that
I couldn’t do most of the stuff on my computer, I couldn’t open Help and
support center, run MSN, Yahoo messenger, other installed programs, system
restore, Internet Explorer. Do I have malware or something of that sort?

Yes, I’ll bet you do.

I wanted to address this question because it’s not all that obvious to most
people that plugging in an unknown USB device can be dangerous, to say the
least.

And it’s one of the reasons I almost always turn off “autoplay”.

Become a Patron of Ask Leo! and go ad-free!

I vaguely remember an anecdote about a security test performed where USB
thumbdrives were left outside around a corporation, as if they’d been
mistakenly left behind somehow. Each was infected with some relatively benign
malware that would alert some remote site that the drive had been picked up and
inserted.

Something like over 50% of the thumbdrives were plugged in and their malware
installed.

The lesson is clear: if you want to infiltrate a random corporation, put
malware on a number of thumbdrives and drop them around the company’s
headquarters.

On the other hand, if you’re that corporation, you want to make sure that at
a minimum your employees are alert to the danger.

“Lesson: don’t plug in thumbdrives … that you’re not
certain of.”

So what’s happening here? What is that danger?

In a nutshell: autorun.

You’ve probably seen it: when you insert a CD-ROM, for example, quite often
a program will run automatically. You’ll typically see this in product setup
CD-ROMs. Encoded on the CD-ROM are a couple of special files that say, in
effect, “when the disk is inserted, run this program”.

The same is true for USB thumbdrives. They, too, can have auto-run
ability.

And to make matters worse, autorun can happen silently.

So it’s very simple: a malware author simply creates a USB thumbdrive with
malware, and sets it up to auto-run and install the malware silently when the
thumbdrive is plugged in. You’d never know until you scanned for viruses or
spyware or, as in your case, things stop working as they should.

Lesson: don’t plug in thumbdrives (or any “removable media”) that you’re not
certain of. Treat them just like downloads, if you can and at least scan them
first.

So how do you scan them if you can’t safely plug them in? Turn off auto-play.
Once you’ve done that you can safely insert the device and examine its contents
or run anti-malware scans.

Or you can just decide it’s not worth the risk, and discard the drive.
They’re cheap these days, and a malware infestation can be pretty
expensive.

Assuming you did decide to look, once you’re satisfied that it’s safe you
can do whatever autoplay would have done by opening the file “autorun.inf” at
the root of the drive in notepad and examining the “open=” line.

Most of the time that’ll be a setup program, also at the root of the
drive.

But as a rule of thumb (no pun intended), I disable auto-play on all my
drives. Not only do I find auto-play often annoying, but as you can see there can be
significant security risks if you’re not careful.

Subscribe to Confident Computing! Tech problem solving & safety tips & a weekly confidence boost in your inbox every week.

I'll see you there!

10 Reasons Your Computer is Slow

Slow Computer?

Speed up with my special report: 10 Reasons Your Computer is Slow, now updated for Windows 10.

NOW: name your own price! You decide how much to pay -- and yes, that means you can get this report completely free if you so choose. Get your copy now!

18 comments on “I found a USB thumbdrive, plugged it in and now my system won't work. What happened?”

  1. Hey Leo,

    That autorun article is great. But could you make one on how to disable autorun in Windows Vista for the Vista users.

    Thanks Leo and keep up the great work.

    Reply
  2. Hi Leo,

    Unfortunately this question didn’t come early enough to put me on guard. What you’re describing happened to me couple of weeks ago and gave me a Trojan Backdoor.win32.Rbot. Later I found the autorun file on my USB/Mp3. I’ll try to disable autorun as you mentioned.

    But CD-ROMS and DVDs are safe, aren’t they? Malware can’t launch from them… or am I mistaken?

    Thanks

    Reply
  3. Why would ANYBODY put a USB thumbdrive anywhere NEAR their computer if they didn’t know what was on it??? The scabs that write all these viruses LIVE for people like that!

    Reply
  4. To “Leo fan”:

    Of course malware can be launched from CDs and DVDs, if there is malware on the media.

    Use your favorite search engine and look up “sony rootkit” for a rather infamous example.

    Reply
  5. Great article, Leo. There are some good questions and responses here. I just wanted to add my two cents worth.

    It turns out that many people (about 40%) will put an unknown device into their computer, just to see what’s on it. I have the evidence, which I have summarized at my site, The Honey Stick Project, at http://www.honeystickproject.com. The site was inspired by the penetration test you mentioned above, and is intended to raise awareness about the risks of using mobile devices, in general.

    The technique I use in the project can be useful for measuring the level of security awareness and safe computing habits in an organization. Please drop by and give me your comments.

    One other note: As indicated in one of the related article links above, it is possible for a device to be configured to trick a system into bypassing autorun, depending on your system. I have some notes about this on my site, also.

    Fascinating site, Scott. Thanks!

    – Leo
    22-Sep-2008
    Reply
  6. Some public libraries check out thumbdrives to their patrons. Apparently they don’t always check to make sure the drive has been wiped clean by the previous user.
    In my case the leftover files were benign to me, but the previous user probably wouldn’t be too happy to know his resume and rehab history were left on it for anyone to see!

    Moral: make sure the flash drive has been wiped clean before you use it OR return it.

    Reply
  7. At least Microsoft has finally partially recognised the problem. There’s a fairly recent update that is supposed to disable autoplay for all drives except CDs and DVDs. Mine is disabled anyway, but that should be the default for ALL drives.

    Reply
  8. One other possibility Leo. It could be that the flash drive is a U2 running a cut down version of the OS which is why some of the stuff he runs won’t run; i.e., not malware.

    Reply
  9. To view this problem another way, does anyone know of a way of automatically running various protection programs on Flash Drives etc, when such devices are plugged in?

    Recently, a college lecturer kindly gave my grand-daughter a Flash Drive to help with her studies.

    It wrecked her Laptop and course work.

    I took a look at the Flash Drive, it had two Trojans on it, plus a lot of personal files belonging to the lecturer – nothing to do with the study course.

    And the college has a major IT/Computing Department!

    A protection system kicking in on auto-detect and running appropriate software, would apparently at least reduce such occurrences.

    Reply
  10. I have an option where I can scan a thumbdrive with my malwere goodies before I open it.
    Right click on it and try Properties.

    Reply
  11. Our local library’s computers have only floppy drives. No USB. I wonder if this article’s premise is the reason. I would think the floppy is just as vulnerable to malware transfer.

    I suspect that’s just the age of the computers, but there was never an “auto-run” applied to floppies, so they are inherrently someone safer.

    Leo
    16-Mar-2011

    Reply
  12. Before the Internet was available to the general public, the principal means of virus propagation was floppy disks. I think over half of the diskettes I checked contained viruses. Either the computers in your library are very old or they don’t realize that diskettes can transfer viruses.

    Reply
  13. Okay, I don’t mean to flame here, but maybe that’s what it is. What kind of people ask what happens if you push this red button marked Global Nuclear Destruction and then push it? Even 75 years ago, people laughed at The 3 Stooges for using a lit match to check the gasoline level in the tank.

    Okay, I just read an item by Randy Cassingham about 4 idiots who heard a warning about the incoming tsunami and ran down to the beach to watch it! I’ll be quiet now. No matter how smart you make the computer, it’s still operated by a human being.

    Reply
  14. What about using a live CD on a computer without a hard drive, to look at a unknown flash drive? Could the computer still be infected?

    As long as the Live CD is not running Windows (most do not) it’s typically a safe way to examine possibly infected disks.

    Leo
    16-Mar-2011

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.