Is the recycle.bin virus dangerous?

295    Asked by AndreaBailey in SQL Server , Asked on Jan 11, 2022

 I'm running Debian 9.1 with KDE and scanned some other hard drive with the open source AV ClamAv. I got plenty of findings, most of which are PUAs (Potentially Unwanted Applications) (and I suspect many or even all being false positives - it seems ClamAV shows literally all .dll and .exe files as "PUA"s and the remaining ones weren't detected by most other AVs).

Most of these were located under $RECYCLE.BIN/someid/someid/...

Earlier I ran Windows (including AV) with that hard drive and now I'm wondering if malware in such locations could have been dangerous as well. Can applications in recycle bins be executed? Or is there some mechanism that prevents deleted dll's and executables from being run?


Answered by Amit Sinha

Yes, executables in the recycling bin can be executed. The $RECYCLE.BIN virus has a special purpose in Windows Explorer so items inside of it cannot be interacted with. This does not prevent the executables from being listed as a service, startup entry, or used from command line. Around 2007 I found a worm hiding in the $RECYCLE.BIN of a customer. When you plugged in a USB drive, the worm would overwrite the AUTORUN.INF file with an entry that looked like the "Open folder to view files". When you plug the USB drive in a new computer and click the wrong "Open folder to view files" entry, it would drop the malware in your $RECYCLE.BIN and create a startup entry in the registry.

It was especially hard to manually clean up because the $RECYCLE.BIN is hard to access from windows. From the command line, I had to run dir /ah and dir /as just to navigate into it and see the malware.

  Finally, $RECYCLE.BIN has SID "folders'' for each user's recycling bin. This means you can put an SID that doesn't exist and nobody would ever see the files normally. It's possible temp-file cleaning tools might try to delete it, but the malware I've seen had permissions broken so that wouldn't always work. Fortunately nowadays, Antivirus—in my experience—checks $RECYCLE.BIN.


Your Answer

Interviews

Parent Categories