Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Autorun.inf question


  • Please log in to reply
9 replies to this topic

#1 Machinery

Machinery

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philippines
  • Local time:07:24 PM

Posted 16 December 2010 - 02:29 AM

Hi forum readers.
I have a question, is it true that if you create a folder named "autorun.inf" in the root of a USB/Hard Disk you will not get infected from autorun.inf viruses?
Posted Image

BC AdBot (Login to Remove)

 


#2 trashcan7

trashcan7

  • Members
  • 402 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:24 AM

Posted 16 December 2010 - 02:48 AM

Apparently, from here: http://www.bleuken.com/2008/07/01/preventing-and-removing-autoruninf-virus/
However, I could not find any other source that offered similar advice.

#3 ThunderZ

ThunderZ

  • Deactivated
  • 4,454 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:24 AM

Posted 16 December 2010 - 06:12 AM

The method is not 100% effective but does lessen the risk.

I do it on all my flash drives and recommend it to my Clients as well.

With the advent of USB aware viruses, flash drives have become one of the top carriers\spreaders of malware.
Disabling autorun on PC`s, lap tops, netbooks helps as well.

Flash Disinfector is another tool\option. Among other things that it does is block the Autorun feature then automatically create a dummie autorun.inf when activated and a flash drive is inserted.

Be aware. It has been reported that it will break some legit apps. that are designed to run\launch when a flash drive is plugged in. Example, U3.

Edited by ThunderZ, 16 December 2010 - 06:15 AM.


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:24 PM

Posted 16 December 2010 - 06:30 AM

To add to flash disinfector:

FlashDisinfector will also add a folder to your flash drive called autorun.inf. In that folder it will create a file that is hard to delete, so that the infection can not simply overwrite/delete the folder. It is therefore safer than just creating the folder.

FlashDisinfector only works on Windows XP.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 Machinery

Machinery
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philippines
  • Local time:07:24 PM

Posted 17 December 2010 - 08:41 AM

I think that my best bet is to create it to the root of my USBs to prevent the creation of autorun.inf file.
I've tried Flash Disinfector, and seems that I cannot delete the folder. It comes back when I rebooted. I have to find a way to permanently delete it, hopefully I've found one on the Internet and it works!
Posted Image

#6 ThunderZ

ThunderZ

  • Deactivated
  • 4,454 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:24 AM

Posted 17 December 2010 - 08:47 AM

Why do you want to delete the file? It is part of the protection put in place by FlashDisinfector.

As stated by Myrti it is made to be more difficult to delete so USB viruses can not over write it.

#7 Machinery

Machinery
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philippines
  • Local time:07:24 PM

Posted 19 December 2010 - 03:14 AM

Because I've only tried it. And I installed a new USB Vaccine software. It's called Panda USB Vaccine.
Posted Image

#8 ONT

ONT

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 19 December 2010 - 05:38 AM

A malware can just remove the pre-existing file (or folder) named "autorun" and recreate it from scratch. More advanced methods to counter these actions were implemented in so-called ”removable device immunization” software, which somehow ”play” with the internal structure of the file system, making a folder containing a special structure inside, then specifically changing the file table so that folder shows up as a file in the file-system. The result is a file that cannot be touched by basic WinAPI calls (because they were not designed to handle such specially crafted files), so almost no malware will be able to remove it.
However, even though this type of immunization is marketed as ”full-proof”, which cannot be undone, it can be reverted by someone who knows how to use a hex editor to edit the raw information within the file table. And since this can be done manually, it only means that it can also be done automatically. Also, I personally recommend great care when/if using such immunization software. If you use it on devices that were designed to browse their own memory (such as portable media players, camera memory cards, phone memory cards, and so on), those devices might not be able to ”understand” and handle correctly such file system modifications, which might result in operation problems or even data loss.

Edited by ONT, 19 December 2010 - 05:39 AM.


#9 ThunderZ

ThunderZ

  • Deactivated
  • 4,454 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:24 AM

Posted 19 December 2010 - 07:32 AM

Because I've only tried it. And I installed a new USB Vaccine software. It's called Panda USB Vaccine.



To each their own. But the more non-conflicting protection the better. It is called a layered approach.

Just read about Panad USB Vaccine. It does nothing that can not be done manually and that FlashDisinfector does`t do. It creates a special autorun.inf on the flash device and it disables the autorun on Windows machines.
Glad it`s free. <_<

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:24 PM

Posted 19 December 2010 - 07:43 AM

Panda USB Vaccine should only be used on flash drives that are exclusively used on Windows machines. Mounting the drives on linux/unix machines undoes every protection Panda did and leaves a completely unprotected autorun.inf file on the drive. Hence all protection is lost from the flash drive.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users