Remove pen drive folder.exe virus using linux. 4

Instructions to detect and delete EXE folder viruses. This virus has an extension of .exe corresponding to the folder name in the drive.

For example if a folder has subfolder called as exam there will be an equivalent exam.exe existing too.

In the windows explorer, these exe files will appear as an folder and user is tricked onto click them hence helping it spread to the host machine.

Well, there comes the solution.(OK its for the privileged, but try finding a linux machine in the vicinity, well even Osx for that matter!)

Open a terminal (Usually gnome-terminal or konsole (kde).

* Proceed to the mount location of the usb drive.
$ cd /media/disk

* Look for exe files which have the file size 496
$ find -i iname “*.exe” | xargs -i du {} | grep 496

* Now if you have a listing, do confirm if they resemble the folder names.

* Now proceed to delete them without mercy. Actually a good idea will be to move
them all to a single folder instead of deleting them.
$mkdir /media/disk/quarantine

$ find -i iname “*.exe” | xargs -i du {} | grep 496 | cut -f 2 | xargs -i mv {} /media/disk/quarantine

* Now after verifying that all those exe’s are the culprits, u can purge them all.

Simillarly look for Autorun.inf in the root folder of the drive. Read the contents, most probably it will be a virus file to initiate a trigger .exe

Please like & share:

4 thoughts on “Remove pen drive folder.exe virus using linux.

  1. Reply Washington DC IT Support Company Jul 7,2010 6:54 pm

    Firstly good website. Im unsure if it could have been brought up, however , if working with Safari I can never get the complete weblog to load with out refreshing repeatedly. May well just be my modem. Enjoy!

  2. Reply Jigar Shah Jan 22,2012 10:31 am

    Thanks mate, virus has grown to other size, its now 380 K

    $ find -i iname “*.exe” | xargs -i du {} | grep 380 | cut -f 2 | xargs -i mv {} /media/disk/quarantine

    Worked for me.

Leave a Reply to Washington DC IT Support Company Cancel Reply

  

  

  


*