Virus pattern match upon connecting Astak Pocket Pro to my computer

Xochipilli2012 · 03-03-2010, 03:58 AM

I knew it would be something new and different, even interesting.

I had run the firmware upgrade after fully charging my new Pocket Pro. When I connected it to my computer's USB port my virus protection software popped up the alert attached, which reads:

M:\autorun.inf

Contains recognition pattern of the WORM/Conficker.Autorun.Gen worm.

In this case, drive "M" is the Astak Pocket Pro.

Have any of you encountered this before? I'm not too worried as my virus protection seems capable to manage it. I've disconnected, the reconnected the PP several times to confirm the sequence. The warning is triggered immediately upon clicking the menu button on the reader to connect to the PC. I tried using the "delete" option with my virus protection, and this may have removed the problem as I seem able to connect without triggering the alert.

I don't know enough about autorun.inf viruses to confidently assess what's going on here. And a bit of searching via Google and on this forum hasn't turned up anything either. I know that virus detection via pattern matching can return "false positives." I'm hoping someone more knowledgeable in this area might be able to provide some insight into the matter.

Thanks!

CCampbell202 · 03-03-2010, 10:43 AM

Can you delete the file? It is a virus that I have seen on my network at work. The file may be configured as read only. Once you remove that option delete it. Autorun.inf files typically contains some type of instructions so that when the CD or folder is open it will run those commands.

theducks · 03-03-2010, 10:57 AM

Was M: the main memory or SDcard?
There is no Autorun file on a normal PEz distribution. A Worm could have placed one there if the device came in contact.

An Autorun file is just a "Startup" direction file that tells what to do if triggered when a device is attached AND you have left your system with Autorun processing enabled. Safe way is either disable Autorun or "ALWAYS ASK ME WHAT TO DO"
So the big question is where this got placed upon your PEz (BTW the real payload is an EXE file that the autorun calls to be run)

rxsz · 03-03-2010, 07:04 PM

Ever since I've installed this software, it has stopped all the autorun virii that enters my system thru removable drives such as USB thumb drives.

You'll be amazed at how many digital photo places have infected computers. Stick your USB drive, or any external memory card, in there, and you're infected!

http://www.pandasecurity.com/homeuse...ds/usbvaccine/ Panda Vaccine. But don't get the Panda Cloud Protection, terrible resource hog.

Oh, another good habit is to always open the drive and check contents by the context menu, rather than double clicking any drive, which then executes any autorun file on it. You'd need to have Show hidden systems on to see the autorun files.

Xochipilli2012 · 03-03-2010, 07:07 PM

When I first got the warning, I just clicked "OK" to "Deny Access" to the file, as my experience with AntiVir has been that it cannot delete infected files when it first locates them. I usually check the log and delete them later or use a dedicated removal tool for that particular virus. I try to be careful so I don't run into this problem very often.

In this case I tried to view Drive M, which was the Astak's internal memory at the time as I had removed the SD card I used to flash the firmware at that point, so there is no question that it was not the memory card. However, I could not locate the file in question. I don't have any Linux distro's installed at the moment, so I don't know if I would have better look trying to view the memory of the reader using Linux, but in Windows XP I use folder settings where no files are hidden.

As I clumsily reported, I repeated the connect sequence several times to confirm that the reader was triggering the alert, but on the final instance tried the option from AntiVir to delete the file, and surprisingly it didn't offer it's normal "sorry--can't do that now" message and seemed to have deleted the file. I cannot say for certain it did, as I could never see autorun.inf in the first place. But ever since then I have been able to connect the device without receiving any warnings.

It doesn't sound as if this is a known issue. I'm additionally curious if it was introduced during the firmware upgrade process. Even though the file I installed was probably the same version, perhaps it was a different build copy or something? I downloaded it from theEZReader.com website a couple days ago. I suppose once the new firmware comes up, and if the problem resurfaces, that would be a clue.

Anyhoozle, things seem to be humming along nicely at this point.

Thanks for the input, guys!

Acreo Aeneas · 03-03-2010, 07:33 PM

It can also be a false positive. There is a higher number when you have security set at medium or high.

teemac · 03-04-2010, 02:24 AM

An old IT trick is to delete the FILE called autorun.inf and make a FOLDER called autorun.inf in the root of the device.

Windows won't allow a file of the same name to be made or pasted if a folder has the same name in the current directory.

The FOLDER called 'autorun.inf' does not have to have anything in it, just leave it empty.

I have used this trick successfully for years on thumb drives, SDcards, CDRW/DVDRW and secondary data HDD's with no problems.

03-03-2010, 03:58 AM	#1
Xochipilli2012 Zealot Posts: 101 Karma: 38 Join Date: Jan 2010 Location: Seattle Device: Red PRS-600, Slate Blue Astak EZReader Pocket Pro	Virus pattern match upon connecting Astak Pocket Pro to my computer I knew it would be something new and different, even interesting. I had run the firmware upgrade after fully charging my new Pocket Pro. When I connected it to my computer's USB port my virus protection software popped up the alert attached, which reads: M:\autorun.inf Contains recognition pattern of the WORM/Conficker.Autorun.Gen worm. In this case, drive "M" is the Astak Pocket Pro. Have any of you encountered this before? I'm not too worried as my virus protection seems capable to manage it. I've disconnected, the reconnected the PP several times to confirm the sequence. The warning is triggered immediately upon clicking the menu button on the reader to connect to the PC. I tried using the "delete" option with my virus protection, and this may have removed the problem as I seem able to connect without triggering the alert. I don't know enough about autorun.inf viruses to confidently assess what's going on here. And a bit of searching via Google and on this forum hasn't turned up anything either. I know that virus detection via pattern matching can return "false positives." I'm hoping someone more knowledgeable in this area might be able to provide some insight into the matter. Thanks! Attached Thumbnails

03-03-2010, 07:04 PM	#4
rxsz Connoisseur Posts: 60 Karma: 20 Join Date: Dec 2009 Location: Shenzhen, China Device: Astak Pocket Pro	USB drive vaccine Ever since I've installed this software, it has stopped all the autorun virii that enters my system thru removable drives such as USB thumb drives. You'll be amazed at how many digital photo places have infected computers. Stick your USB drive, or any external memory card, in there, and you're infected! http://www.pandasecurity.com/homeuse...ds/usbvaccine/ Panda Vaccine. But don't get the Panda Cloud Protection, terrible resource hog. Oh, another good habit is to always open the drive and check contents by the context menu, rather than double clicking any drive, which then executes any autorun file on it. You'd need to have Show hidden systems on to see the autorun files.

03-03-2010, 07:07 PM	#5
Xochipilli2012 Zealot Posts: 101 Karma: 38 Join Date: Jan 2010 Location: Seattle Device: Red PRS-600, Slate Blue Astak EZReader Pocket Pro	Virus or no virus? When I first got the warning, I just clicked "OK" to "Deny Access" to the file, as my experience with AntiVir has been that it cannot delete infected files when it first locates them. I usually check the log and delete them later or use a dedicated removal tool for that particular virus. I try to be careful so I don't run into this problem very often. In this case I tried to view Drive M, which was the Astak's internal memory at the time as I had removed the SD card I used to flash the firmware at that point, so there is no question that it was not the memory card. However, I could not locate the file in question. I don't have any Linux distro's installed at the moment, so I don't know if I would have better look trying to view the memory of the reader using Linux, but in Windows XP I use folder settings where no files are hidden. As I clumsily reported, I repeated the connect sequence several times to confirm that the reader was triggering the alert, but on the final instance tried the option from AntiVir to delete the file, and surprisingly it didn't offer it's normal "sorry--can't do that now" message and seemed to have deleted the file. I cannot say for certain it did, as I could never see autorun.inf in the first place. But ever since then I have been able to connect the device without receiving any warnings. It doesn't sound as if this is a known issue. I'm additionally curious if it was introduced during the firmware upgrade process. Even though the file I installed was probably the same version, perhaps it was a different build copy or something? I downloaded it from theEZReader.com website a couple days ago. I suppose once the new firmware comes up, and if the problem resurfaces, that would be a clue. Anyhoozle, things seem to be humming along nicely at this point. Thanks for the input, guys!

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Ended Astak Pocket Pro	kennyc	Flea Market	3	01-17-2010 05:41 PM
astak pocket pro screen instability.	oncdoc	Astak EZReader	10	12-29-2009 09:56 PM
Please help! Torn between the Astak Pocket Pro and the COOL-ER	weeziepepper	Which one should I buy?	21	12-12-2009 11:41 PM
Questions about Astak Pocket Pro	weeziepepper	Astak EZReader	11	12-07-2009 05:34 PM
Just ordered the Astak Pocket Pro EZ	luvshihtzu	Astak EZReader	37	10-25-2009 07:37 PM

03-03-2010, 10:43 AM	#2
CCampbell202 Member Posts: 15 Karma: 10 Join Date: Jan 2010 Device: Astak EZ Reader Pro	Can you delete the file? It is a virus that I have seen on my network at work. The file may be configured as read only. Once you remove that option delete it. Autorun.inf files typically contains some type of instructions so that when the CD or folder is open it will run those commands.

03-03-2010, 10:57 AM	#3
theducks Well trained by Cats Posts: 29,803 Karma: 54830978 Join Date: Aug 2009 Location: The Central Coast of California Device: Kobo Libra2,Kobo Aura2v1, K4NT(Fixed: New Bat.), Galaxy Tab A	Was M: the main memory or SDcard? There is no Autorun file on a normal PEz distribution. A Worm could have placed one there if the device came in contact. An Autorun file is just a "Startup" direction file that tells what to do if triggered when a device is attached AND you have left your system with Autorun processing enabled. Safe way is either disable Autorun or "ALWAYS ASK ME WHAT TO DO" So the big question is where this got placed upon your PEz (BTW the real payload is an EXE file that the autorun calls to be run)

03-03-2010, 07:33 PM	#6
Acreo Aeneas Kobo Aura Posts: 252 Karma: 500520 Join Date: Feb 2009 Location: Chicago, Illinois Device: Kobo Aura	It can also be a false positive. There is a higher number when you have security set at medium or high.

03-04-2010, 02:24 AM	#7
teemac Member Posts: 21 Karma: 140 Join Date: Jan 2010 Location: NSW, Australia Device: ECO Reader V3ext, ECO Reader V3+	An old IT trick is to delete the FILE called autorun.inf and make a FOLDER called autorun.inf in the root of the device. Windows won't allow a file of the same name to be made or pasted if a folder has the same name in the current directory. The FOLDER called 'autorun.inf' does not have to have anything in it, just leave it empty. I have used this trick successfully for years on thumb drives, SDcards, CDRW/DVDRW and secondary data HDD's with no problems.

Advert

Advert