Alert: Your thumb drive may be spreading the "GSPI" computer worm

Announcement Posted: 4/30/2008

There is a "GSPI" computer worm propagating around campus and has been found on Windows lab computers as well as Windows XP based laptops. This is what we know about it:

  1. The worm is being transmitted entirely by thumb drives and other usb storage devices.

  2. This worm variant propagates very effectively, but doesn't actually do much damage.

  3. The worm is exploiting a default behavior of XP computers. Vista users may not be as vulnerable. Linux and OSX operating systems are not affected.

  4. The current virus definitions of SAV (04/28/08) are inadequate at removing all and sometimes any of this worm.

  5. If you open a Internet Explorer browser and see "GSPI" appended to the title, you have been infected by this worm.

If you think you have the worm, or just want to make sure you don't have it or don't get it, there are tools available to help:

  1. To clean the worm from your computer and all usb storage devices that are plugged in, download and run the CleanGSPIworm.vbs script available here:

    http://engr.oregonstate.edu/computing/files/gspiworm/CleanGSPIworm.vbs

    Once downloaded, just double-click on the file. You might want to save this script to your thumb drive and run it periodically if you feel the need. It doesn't hurt to run it even if you don't have the worm.

  2. To stop the default nature of XP that allows this exploit, you can change a registry setting that disables autorun on all drives, including CD/DVD, thumb drives and usb storage devices. It is available here:

    http://engr.oregonstate.edu/computing/files/gspiworm/disable_autorun.reg

  3. Once downloaded, just double-click on the file. After the registry setting is made, you can delete this file or save it somewhere for future use. You may need to reboot your computer for this setting to activate.

Note: With autorun turned off, you will lose the convenience of setup programs starting automatically when a CD/DVD is inserted into your computer. You will just need to open the drive and double click on the setup.exe or whatever program the autorun.inf normally would run.

  1. To re-enable autorun, download and apply this:

    http://engr.oregonstate.edu/computing/files/gspiworm/enable_autorun.reg

    Once downloaded, just double-click on the file. After the registry setting is made, you can delete this file or save it somewhere for future use.

Again, this worm doesn't do much damage, but future variants using the same techniques could. Thumb drives are becoming very popular and are used everywhere but are the main way this worm is spreading. Running the cleanup script and applying the disable_autorun.reg setting will help, but also remember to keep your anti-virus signatures up to date.