External storage media and flash (usb, pen, thumb, jump) drives are prone to infections which involve malware that modifies/loads an autorun.inf
(text-based configuration) file into the root folder of all drives
(internal, external, removable) along with a malicious executable. When removable media such as a CD/DVD is inserted (mounted), autorun
looks for autorun.inf and automatically executes the malicious file to run silently on your computer. For flash drives and other USB storage, autorun.ini uses the Windows Explorer's right-click context menu so that the standard "Open" or "Explore" command starts the file. Malware modifies the context menu (adds a new default command) and redirects to executing the malicious file if the "Open" command is used or double-clicking on the drive icon. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled. Keep in mind that autorun.inf can also be a legitimate file which other legitimate programs depend on so the presence of that file may not always be an indication of infection.Keeping Autorun enabled
on USB (pen, thumb, jump) and other removable drives has become a significant security risk
due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
Many security experts recommend you disable Autorun asap
as a method of prevention. Microsoft recommends doing the same
Microsoft Security Advisory (967940): Update for Windows AutorunNote: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful. Disabling autorun/autoplay does not prevent you from accessing your media sources. They are still available by opening My Computer and accessing the source drive (CD, DVD, USB or external hard drive). Pictures on a camera can still be accessed through My Pictures and selecting "Get Pictures" from a scanner or camera. Media can be accessed via the program you normally use it with such as music CDs via Media Player, blank CDs via burning software, image handling software provided with the camera. I strongly recommend you leave the autorun feature disabled and get into the habit of accessing your media devices manually.
...Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file...
An easy way to disable Autorun on a specific drive is to download and use Microsoft Power Toy Tweak UI
and then follow these instructions
If using Windows XP Pro you can also use the Group Policy Editor
to disable the autorun for USB & CD-ROM devices. To do this, please refer to:
If using Windows Vista
, please refer to:
If using Windows 7
, please refer to:Note: For steps that require registry changes, always back up your registry before making any changes
However, disabling AutoRun is not enough
. See Scott Dunn's One quick trick prevents AutoRun attacks
. For most novice users, the easiest way to inoculate a USB flash drive is to create a Read-only
folder on the drive and name it autorun.inf. This folder will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and executing malicious files as described in How to Maximize the Malware Protection of Your Removable Drives
You can download and use Autorun Eater
or Autorun USB Virus Finder
which will allow removal of any suspicious 'autorun.inf' files they find.Panda USB Vaccine
allows for computer and usb vaccination.
- Computer Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not.
- USB Vaccination disables the autorun file so it cannot be read, modified or replaced and creates an AUTORUN_.INF as protection against malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.
Another option for XP users is Flash_Disinfector
by sUBs. Please read About Flash Disinfector by Papakid
and USB/Flash Drive Safety by TheJoker
Finally, always scan USB flash drives and any external storage media after they have been used in other computer systems, even your own. An easy way to do this is to download "ClamWin Portable Antivirus
", put it on your USB Flash Drive, update its definition files and perform a scan.
Other scanning tools:
- Malwarebytes Anti-Malware. For usb flash drives and/or other removable drives, perform a Full scan. The option for a Flash Scan will analyze memory and autorun objects but that option is only available to licensed users in the paid version.
- Norman Malware Cleaner. Be sure to print out the instructions provided on the same page. For usb flash drives and/or other removable drives to scan, use the Add button to browse to the drives location, click on the drive to highlight and choose Ok.
- Dr.Web CureIt. Choose Custom Scan after the Express Scan has finished to add your usb drive to the scan.