One of our Win PCs got infected with that thing. It creates a VB script in appdata, and when it runs, every USB drive you put in it gets everything on it hidden - but a new shortcut with a name of a drive, that actually points at a script leading to a new infection. Updated Win just blocks it, but this one PC was on 1709, nuff said.
Itsohappens we had a thing to present via this PC, and quick, and at that time no one told me about the virus. We tried 4 different clickers one by one (2 A4 Tech, one generic, one Logi) and first three of them stopped working after that. They are all with fresh batteries, their BT adapters weren’t recognized as USB drives I assume. What could go wrong?
I don’t believe this VB script could by any chance move critical information on BT adapters like it did with USB drives, right? Even if there’s a little flash drive with software, it should be set as RO by default. But I don’t see any other explanation to that.
I don’t have access to any of these three at the time, but I’m curious where should I begin to inspect this problem? How can I, probably, see the ‘contents’ of such an adapter, see coming inputs and outputs, maybe watch it initiating a searching routine, etc? I also have a couple of universal BT adapters that I bought for my gamepads, is there any use for them here, or are these toys strongly paired device-to-adapter?
Now, thinking about it, I am not sure if I tried them on my Arch (btw!) so, somehow, maybe it’s only reproduceable under Win (with Logi clicker and Logitech bluetooth m+kb still working on that infected machine?)? Again, would like to hear, if there’s something I can look for.
Bonus points for advices I can try on Linux, since Lemmy landed me there, and if I’d ever need to look deep into various devices again, better to learn it on a system that I’d use in the future, so I won’t need to relearn it.
That virus has been around since the 90s. Windows actually took a long time to block it. I have seen it in the wild for decades, with different iterations. Linux is indeed immune as it is a visual basic script which doesn’t run without permission on Linux. The USBs also have an autorun, but Linux won’t do anything with it.
You can actually check this on Linux, the VB script can be easily open on a text editor and its coding read plainly. The dongles are usually pretty generic if they’re BT, and paired to a single device if they’re 2.4Ghz WiFi. They should have flash memory, but how vulnerable they are to this type of malware is unknown to me. I do remember having read code that switched the read-only flag of USB filesystems. But I haven’t done IT in almost a decade, I’m probably out of date with the technicals. I do remember that antivirus couldn’t even detect this particular attack until late in the 2010s, and automated pendrive fixes were made mostly by the underground and Foss scene.