Security - Alerts - USB Bot

• Overview
• USB Device Clean-Up Clinics
• How to Check and Clean a USB Device
• How to Disable Windows Autorun
• How to Check a Windows Computer for Infection
• Technical Details

Overview

We will continue to add more information and resources to this site.
Please do check back again.

Walk-in clinics for cleaning USB devices will continue at selected locations during the week of November 3rd.

The Cornell IT Security Office has detected a serious, widespread outbreak of a "bot" (a type of computer virus) that has the potential to infect all Windows computers on campus. Macintosh computers running Windows are also susceptible to this threat.

We have found over a thousand infected computers on Cornell's networks.

This threat spreads when infected removable devices such as thumb or flash drives, music players, cell phones, cameras, external drives and the like are connected to the USB port of a Windows computer.

A number of Cornell departments are sponsoring walk-in clinics where you can have a USB device checked and, if needed, cleaned. If you are somewhat technically inclined, you can also do this yourself.

One in every six USB devices checked at these walk-in clinics has been infected.

By disabling Windows autorun feature, you can make your computer immune to catching this virus from USB devices.

If you have used any removable devices with your Windows computer this month (October, 2008), there is a reasonable chance it has been infected, even if you don't notice any difference in how it is running.

At this time (10/31/08), Symantec AntiVirus detects the three variants of this threat currently seen on campus.

We will post whatever information we have about detection and removal, including some in-depth technical detail. If you suspect your computer has been infected and don't think you can clean it up yourself, please seek assistance. People who work at Cornell should contact local IT support personnel. Otherwise, you can make an appointment to bring your computer to CIT's HelpDesk for examination (phone: 255-8990, email: helpdesk@cornell.edu).

The type of infection we are seeing here is a called a bot. When a bot takes over your computer, whoever is controlling it can do things like download more malicious software, steal information from you, and use your computer to attack other systems on the internet -- all of which we are seeing in systems infected at Cornell. Botnets, a set of computers all being controlled by the same people, are often operated on behalf of international organized crime, and so these infections need to be taken seriously.

As the IT Security Office detects infected systems, we are informing their owners and, to lessen the risk to your information and to university data and operations, restricting their network access.