Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

When is AUTORUN.INF really an AUTORUN.INF?


  • Please log in to reply
11 replies to this topic

#1 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:33 AM

Posted 08 January 2009 - 10:25 AM

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

BC AdBot (Login to Remove)

 


#2 samuel3

samuel3

  • Members
  • 2,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:33 AM

Posted 10 January 2009 - 08:18 PM

I have disabled some bit of AUTOPLAY Control Panel>Hardware and Sound>AUTOPLAY and ive put 'Take no Action' on some of them. Has this disabled all of the AUTOPLAY or is it enough to stop this Malware getting on my computer???


Ive just found this off a friend and i downloaded the registry editor that disables the autorun.

http://www.cit.cornell.edu/security/alerts...ot/autorun.html

Its totaly safe and trustworthy. Its a university site.

Edited by samuel3, 10 January 2009 - 08:33 PM.


#3 quietman7

quietman7

    Bleepin' Janitor

  • Topic Starter

  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:33 AM

Posted 11 January 2009 - 12:10 AM

The link you used contains instructions from the Cornell University Tech Department probably intended for users of their computers.

The easiest way to disable Autorun on a specific drive is to download and use Tweak UI PowerToy.
  • After installation, launch Tweak UI, double-click on My Computer in the tree menu on the left, then click on AutoPlay > Drives. This will allow you to change the system settings for AutoPlay/autorun.
  • Uncheck the drives you want to disable AutoPlay on and click on Apply.
  • Next, click on the Types in the left tree. This allows you to control whether Autoplay is enabled for CD and DVD drives and removable drives. You may need to restart Tweak UI if it closes after step 2.
  • Uncheck the box to disable Autoplay for a particular type of drive.
  • Click Apply.
If needed, see Disable Autorun/AutoPlay in XP with Tweak UI" for instructions with screenshots.

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful. Disabling autorun/autoplay does not prevent you from accessing your media sources. They are still available by opening My Computer and accessing the source drive (CD, DVD, USB or external hard drive). Pictures on a camera can still be accessed through My Pictures and selecting "Get Pictures" from a scanner or camera. Media can be accessed via the program you normally use it with such as music CDs via Media Player, blank CDs via burning software, image handling software provided with the camera. I strongly recommend you leave the autorun feature disabled and get into the habit of accessing your media devices manually.

If using Windows Vista, please refer to:However, disabling AutoRun is not enough. See Scott Dunn's One quick trick prevents AutoRun attacks. For most novice users, the easiest way to inoculate a USB Flash Drive is to create a Read-only folder on the drive named autorun.inf and place a small file inside or just use Flash_Disinfector which does the same thing for you. Flash_Disinfector is a specialized fix tool created by sUBs to remove infections that load an autorun.inf file on removable media. As part of its routine, this tool will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you run it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Alternatively, you can download and use Panda USB Vaccine. Computer Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced by malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.

Finally, always scan USB Flash Drives after they have been used in other computer systems, even your own. An easy way to do this is to download "ClamWin Portable Antivirus", put it on your USB Flash Drive, update its definition files and perform a scan.

Edited by quietman7, 09 April 2009 - 08:59 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:33 AM

Posted 13 January 2009 - 09:37 AM

Thanks quietman7!

This is a very useful post. Might want to make it a "tutorial" or maybe it should be "pinned". Well regardless....thanks for the great info. It has been placed in my library.

t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 quietman7

quietman7

    Bleepin' Janitor

  • Topic Starter

  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:33 AM

Posted 13 January 2009 - 11:08 AM

You're welcome.

Glad you found the info useful.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 GTK48

GTK48

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:02:33 AM

Posted 26 January 2009 - 09:38 PM

I just turned mine off, Thanks for the info. :thumbsup:

#7 scff249

scff249

    Indecisive Lurker


  • Members
  • 1,319 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:01:33 AM

Posted 26 January 2009 - 10:07 PM

I have as well.....as I know how annoying Autorun.inf infections are........

Just a question about Flash Disinfector.....

Can it be applied to other things as well (such as externals, MP3's, etc.) and not just flash drives or is it only for flash drives?

"Ototo'i wa usagi o mita no...Kino wa shika...Kyo wa anata." -Kotomi Ichinose (Clannad) [see below for translation]
"Day before yesterday I saw a rabbit, and yesterday a deer, and today, you." -The Dandelion Girl
"You are not alone, and you are not strange. You are you, and everyone has damage. Be the better person." -Katawa Shoujo


#8 quietman7

quietman7

    Bleepin' Janitor

  • Topic Starter

  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:33 AM

Posted 27 January 2009 - 08:03 AM

Flash_Disinfector will create a hidden "dummy" autorun folder/file with special permissions in each partition and every external drive that was connected when the tool was run. Do not delete this folder. It helps to keep the malicious autorun.ini file from being installed on the root drive and running other malicious files which will infect the computer.

These are the instructions for using it:

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 scff249

scff249

    Indecisive Lurker


  • Members
  • 1,319 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:01:33 AM

Posted 27 January 2009 - 08:17 AM

Ah, so it does extend to other things as well. That's good to hear, especially since we're in need to use an external for a project to pass around files for our project. I'll make sure to immunize it as an extra safety measure.

Thanks for the info! I'll make sure everyone in my class immunizes their computers as well as suggest to turn off AutoPlay as an extra measure.

"Ototo'i wa usagi o mita no...Kino wa shika...Kyo wa anata." -Kotomi Ichinose (Clannad) [see below for translation]
"Day before yesterday I saw a rabbit, and yesterday a deer, and today, you." -The Dandelion Girl
"You are not alone, and you are not strange. You are you, and everyone has damage. Be the better person." -Katawa Shoujo


#10 lindaga35

lindaga35

  • Members
  • 384 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:33 AM

Posted 27 January 2009 - 11:27 AM

so if im reading this right, i should watch out for usb drive too? oh man, i didnt even think of that, :thumbsup:

how do i find out if auto run is on my computer? i would assume to search for it? i use a camara and mp3 player, and a doggie thats my 4yr olds. (it grows and knows her name) an of course my printer, thats if i ever get it installed.

thanks for posting this.

Lindaga35

#11 quietman7

quietman7

    Bleepin' Janitor

  • Topic Starter

  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:33 AM

Posted 27 January 2009 - 01:08 PM

There are several ways to do that.

Autorun.inf is hidden so you have to Reconfigure Windows XP to show hidden files, folders. Double-click on My Computer, go to Tools > Folder Options and click on the View tab. Under Hidden Files and Folders, check "Show hidden files and Folders", uncheck "Hide Protected operating system Files (recommended)", uncheck "Hide file extensions for known file types", and hit Apply > OK.

Then open My Computer, right-click on your primary drive (DO NOT double-click), select "Explore", search for any autorun.inf at the root. Repeat the search on all your drives (including your flash drive).

or search with cmd prompt:

Go to Start > Run and type: cmd
  • press Ok.
  • At the command prompt, type in your primay drive location, usually C:
  • You may need to change the directory. If so type: cd \
  • press Enter.
  • At the command prompt C:\>, type: attrib -s -h -r -a autorun.inf
  • press Enter.
  • Type: dir
  • press Enter.
  • Repeat the above commands for each drive on your computer including your flash/usb drive.
or

Go to Start > Run and type: cmd
  • press Ok
  • At the command prompt, type in your primay drive location, usually C:
  • You may need to change the directory. If so type: cd \
  • press Enter.
  • At the command prompt C:\>, type: dir c:\ /as /ah
  • press Enter.
  • Repeat the above commands for each drive on your computer including your flash/usb drive.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 MaliciousBrains

MaliciousBrains

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:03 PM

Posted 27 January 2009 - 02:58 PM

Try USB Protect. I have created this utility and you can check it out under the Utilities section of MalwareInfo.Org.

Brief description:
------------------------
USB Protect runs in the background and monitors the DBT_DEVICEARRIVAL events. Once it detects a DBT_DEVICEARRIVAL event, it identifies if its a REMOVABLE media like USB. If it detects a USB DBT_DEVICEARRIVAL, it detects the drive entry and checks for the existence of Autorun.inf and the malware binary that is being called through it. On a positive detection, it deactivates both the Malware binary and the Autorun.inf file. USB Protect also gives a voice confirmation when an Autorun.inf file is detected in the USB drive. On positive detection, USB Protect changes the Malware binary to .blocked and Autorun.inf to .usb extensions, so nothing is deleted or lost.
------------------------

Note: This is not a publicity post. Just because this this topic deals with the UB Infectors and Autorun.Inf so probably USB Protect can come handy to protect the systems getting infected with these USB borne Malwares.
~MaliciousBrains~
There are no patch of service packs for IGNORANCE!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users