Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Should i Remove autorun.inf in my USB?


  • Please log in to reply
4 replies to this topic

#1 MckinleyWads

MckinleyWads

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 08 October 2015 - 10:49 PM

Hello Everyone,
I am Worried about my USB it has a Autorun.inf Inside
(Story)
We have a Public Computer Cafe we only use Deep Freeze to Stop virus from our PC
But i Plugged my USB in some of my computer and yes my USB is Infected
and i always Remove the Virus from my USB in our Main Computer that has Anti Virus (Avast)
I tried in some of the Internet and i Do that
There are some Hiding Autorun.inf in my USB and i scanned it in Virustotoal but they said the File or the Autorun.inf is Safe 
Should i Remove it?

Mod Edit: Moved to AV and AM methods


Edited by boopme, 10 October 2015 - 07:22 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:50 PM

Posted 12 October 2015 - 06:23 AM

Autorun.inf is a text-based configuration file that provides instructions for the autorun feature and contains instructions for the operating system and many external hard drives...i.e. options for how to view the contents. Essentially it is a loading point that tells the operating system which executable to start, which icon to use, and which additional menu commands to make available. When a computer detects a removable device, it searches for the autorun.inf file for further instructions and writes the values in the MountPoint2 registry key. This registry key holds cached information on every device ever connected to the computer. For flash drives and other USB storage, autorun.ini uses the Windows Explorer's right-click context menu so that the standard "Open" or "Explore" command starts the file.

Autorun.inf can be exploited to allow a malicious program to run automatically without the user knowing since it is a loading point for legitimate programs. Such an exploit involves malware that modifies/loads an autorun.inf file into the root folder of all drives (internal, external, removable) along with a malicious executable. When removable media is inserted (mounted), autorun looks for autorun.inf and automatically executes the malicious file to run silently on your computer. Since autorun.ini can be a legitimate file which other legitimate programs depend on, the presence of that file may not always be an indication of infection. Usually when it is bad, there will be other signs or symptoms of infection to include other malicious files.

Note: Some usb protection tools will create a hidden "dummy" autorun folder/file with special permissions in each partition and every external drive that was connected when the tool was run. The dummy folder is inteded to provide some security against certain malware you may encounter but it's presence does not guarantee full protection.

USB Protection Tools:

  • USBVirusScan
  • Ariad (AutoRun.Inf Access Denied)
  • Windows USB Blocker
  • McAfee VirusScan USB
  • MCShield Anti-Malware Tool
  • Autorun Eater
  • Autorun Protector
  • Autorun USB Virus Finder
  • USB Protector
  • Antirun to disable or manage autorun on USB drives
  • Autorun Deleter
  • USB Flash Drives Control
  • USB Defender
  • Flash_Disinfector for XP
  • Panda USB Vaccine.
    • Computer Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not.
    • USB Vaccination disables the autorun file so it cannot be read, modified or replaced and creates an Autonrun.inf as protection against malicious code. The Panda Research Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:50 PM

Posted 12 October 2015 - 03:05 PM

Can you post the link to the VirusTotal analysis of this autorun.inf file?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 doveroh

doveroh

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 AM

Posted 18 October 2015 - 11:35 AM

I use https://www.virustotal.com/ and upload the file there to be checked.  Or if you have the hash you can search for it.



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:50 PM

Posted 18 October 2015 - 06:44 PM

Didier Stevens already provided instructions for the OP.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users