We use thumb drives in different ways – usually to transfer files from one computer to another. When we create folders in thumb drives, we have a certain level of confidence that the folder isn’t malicious or doesn’t contain malware. Unfortunately, this assumption is not always true. For the month of November, we added the Folstart family to the Microsoft Malicious Software Removal Tool (MSRT).
Folstart is a family of worms that copies itself using the same names as folders in your USB drives. In addition, it uses the folder icon to further its deception. Although this technique is not new, it still leads to infecting several thousand users mostly in the United States as shown in the graph below:
Figure 1: Distribution of Win32/Folstart
The following is the screenshot of a drive in which folders are set to hide known extension and not show hidden files, folders and drives. It seems to be a normal folder but is actually W32/Folstart. Executing this will lead to an infection.
Figure 2: Folstart sample named “new folder”
To avoid this scenario, it is a good practice to show hidden files and system files file extensions. To do this, in Windows Explorer, go to Organize >Folder and Search options and then click the View tab:
Figure 3: How to display hidden files and folders, and show file extensions
This way, your computer can reveal the real files that are actually there. Here’s the same folder as in Figure 2 with these settings enabled:
Figure 4: The same sample in Figure 2, with the file extension visible
For some users who prefer to hide files and extensions, there is an alternative – right-click on the file and check what’s written under “Type of file” in the General tab. Figure 5 shows a Folstart copy with the file type as an executable.
Figure 5: File type is .exe for a Folstart sample
A real folder type should be File folder:
Figure 6: File type is folder for a real folder
Most of the things we discussed were about preventing infection by Folstart. If you suspect that you were infected by Win32/Folstart we suggest running the MSRT. For more details about Win32/Folstart please visit our encyclopedia.
Francis, MMPC
Leave a reply
