External storage media and flash (usb, pen, thumb, jump) drives are prone to infections
which involve malware that modifies/loads an autorun.inf
(text-based configuration) file into the root folder of all drives
(internal, external, removable) along with a malicious executable. When removable media such as a CD/DVD is inserted (mounted), autorun
looks for autorun.inf and automatically executes the malicious file to run silently on your computer. For flash drives and other USB storage, autorun.ini uses the Windows Explorer's right-click context menu so that the standard "Open" or "Explore" command starts the file. Malware modifies the context menu (adds a new default command) and redirects to executing the malicious file if the "Open" command is used or double-clicking on the drive icon. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled. Keep in mind that autorun.inf can also be a legitimate file which other legitimate programs depend on so the presence of that file may not always be an indication of infection.Keeping Autorun enabled
on flash drives has become a significant security risk
as they are one of the most common infection vectors for malware which can transfer the infection to your computer. One in every eight malware attacks occurs via a USB device
. To learn more about this risk, please read:
Many security experts recommend you disable Autorun
as a method of prevention and to Maximize the Protection of your Removable Drives
. Microsoft recommends doing the same
Note: If using Windows 7
, be aware that in order to help prevent malware from spreading, the Windows 7 engineering team made important changes
and improvements to AutoPlay
so that it will no longer support the AutoRun functionality for non-optical removable media.
Alternatively, you can use the Disable Autorun/Autoplay Tool
- alternate link
on almost any operating system.
However, disabling AutoRun is not enough
. See Scott Dunn's One quick trick prevents AutoRun attacks
. For most novice users, the easiest way to inoculate a USB flash drive is to create a Read-only
folder on the drive, name it autorun.inf. This folder will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and executing malicious files as described in How to Maximize the Protection of your Removable Drives
Another option for XP users is Flash_Disinfector
by sUBs which will create a hidden "dummy" autorun folder/file with special permissions in each partition and every external drive that was connected when the tool was run. Do not delete this folder as it helps to prevent the installation of a malicious autorun.ini file on the root drive and executing other malicious files which can infect the computer. For more information about this tool, please read this explanation by Papakid
Some USB flash drives have a "write protect
" read-only switch integrated on the side or on the back for preventing the content from being erased or overwritten. If you're not familiar with this feature, see Looking for a USB Flash Drive with Read Only or Write Protect Switch
. However, even with such a device you still need to be careful when using public computers as explainend here
If your USB drive does not have such a read-only switch, there are alternatives and third-party utilities which can provide this type of protection.IMPORTANT NOTE
: DSi USB Write-Blocker advises USB devices you wish to write-block must be disconnected from the computer before the write block is enabled.USB Protection Tools
Always scan USB flash drives after they have been used with other computers and never connect them to an untrusted computer or one without an anti-virus. In fact, you can install USBVirusScan
, a freeware tool by Didier Stevens that triggers your antivirus to scan a USB drive each time it is inserted in your computer.USB Anti-virus Tools
:Flash/External Drive Scanning Tools
- Malwarebytes' Anti-Malware. For usb flash drives and/or other removable drives, perform a Full scan. The option for a Flash Scan will analyze memory and autorun objects but that option is only available to licensed users in the paid version.
- Norman Malware Cleaner. For usb flash drives and/or other removable drives to scan, use the Add button to browse to the drives location, click on the drive to highlight and choose Ok.
- Dr.Web CureIt. Choose Custom Scan after the Express Scan has finished to add your usb or external drive to the scan.
- McAfee Avert Stinger Tool.
-- As an extra precaution, hold down the Shift key
when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present. Then perform your scans.
Quietman7 is the author of these instructions.
Edited by dc3, 09 May 2011 - 11:19 AM.