USB's and Autoruns (autorun.inf)

Products and tips

Moderator: Site Mods

Post Reply
User avatar
CrossX
Bronze Member
Bronze Member
Posts: 128
Joined: 2009 Dec 05, 21:13

USB's and Autoruns (autorun.inf)

Post by CrossX »

Just found on another Board (COMODO Forums) (bold and italic added by me)

http://forums.comodo.com/virusmalware-r ... 574.0.html

I wonder what the experts here (especially good old Kilmatead) think about this subject, that is "what is a good way to prevent USB's to be infected and/or to spread infections via the autorun.inf file".
As we all know maybe it is an old problem (that Microsoft created when it had the inspiration to devise those useless and unnecessary, for me, autorun.inf capabilities) that unfortunately is present especially in "university" or "job" PC's where one doesn't have Administrator rights and cannot even uncheck the autorun :cry:

Also the guide at Wilder's Security (linked at the bottom) is very interesting since it is a way to prevent NTFS formatted USB's to be written.
An opinion would be welcome.

All credits to spainach_12 and pandlouk  :thumbup:
spainach_12 wrote: Well, if you've been at the forums looking for solutions to this problem, you must've encountered some of my posts and requests. My bad. Didn't have enough experience then. You all should listen to SiberLynx and the guys. In this post, we will take a look at some of the misconceptions and methods of disinfection and prevention of infection, particularly on autorun-based malware which is basically the most common problem encountered in universities, internet shops, and even in computer shops (i mean to say those that sell computers and laptops. Bought one already infected. It hasn't been touched they said. It was just-out-of-the-box they said).

Myth: The autorun.inf is a virus.

Truth: The autorun.inf is a system file used by Windows to automate common tasks involving external media. Technically, this is not a virus nor was it intended to be a threat. What it is, however, is a vulnerability exploited by viruses so that upon attaching a usb, immediately launches the virus, allowing it to infect the host computer.

Prevention: The best method to prevent an infection via autorun.inf is to turn that feature off. Windows 7 does not automatically use the autorun.inf which is good. For those others, you can use the free Panda USB Vaccine. For personal computers, you can simply opt to turn the autorun feature off (Google it). Of  course, for university computers, you can go as far as disinfection, but not changing systems. I've done these without admin privileges, but i've seen some that wouldn't allow me to do it. The inconsistency is perplexing, so I'm warning you beforehand of the difficulties you might encounter.

DIY: You can remove protect autoruns in both usb and windows manually. This, however, requires the use of the command prompt. To do this, simply:
1. Press windows+r. The “Run” dialogue box should appear.
2. Input in the field “cmd” without the quotes.
The command prompt should appear (a window with a black background. Kinda like the one you see being used by hackers in movies).
3. Navigate to the autorun.inf. It is usually found in the primary system drive and the root directory of the USB (to locate it manually, go to Tools > Options > Under the View tab, untick Hide protected system files and then tick Show hidden files and folders > Apply then Ok. Now search for it).
4. Now delete the autorun.inf. Type in “attrib -s -h -r autorun.inf” and press enter. The file should now visible. You can skip this step as in most computers, this is not needed. However, it does ensure that the file can and will be deleted.
5. Then input “del autorun.inf” without the quotes.

Now to make an undeletable autorun.inf folder (a folder is much harder to delete and find for the virus. This method foils most attempts of deletion, but not all).
1. To do this, input “md autorun.inf” without the quotes.
2. Now to make this more difficult to remove, input “attrib+s +h +r +a autorun.inf” without the quotes. The folder should now become hidden (because some viruses don't place anything in hidden folders. Don't know why. Useless maybe).

Taking this a little further, we can make the autorun.inf virtually impossible to delete without a tool or a complete reformatting of the usb (don't proceed to do this on a windows. It might cause conflicts. Not all systems are affected but better not risk it if you're not yet familiar with repairing systems).
4. Navigate within the folder by typing “cd autorun.inf” without the quotes.
5. This time, make another directory. Input “md .\con\” without the quotes. The folder which will be created cannot be deleted by conventional methods. Using tools to unlock the file including Collomb's famous unlocker results in a BSOD as tested 01:10:51 AM, 09/21/11. Now viruses cannot auto-launch to infect a host pc. It does NOT, however, prevent infection. It simply prevents the virus from launching itself.


Example:
Microsoft Windows [Version 6.1.7601]
Copyright <c> 2009 Microsoft Corporation. All rights reserved.

C:\Users\Palbie>E:

E:\>del autorun.inf → deletes the autorun.inf

E:\>md autorun.inf → creates a folder named autorun.inf

E:\>attrib +s +h +r +a autorun.inf → makes the folder attributes system, hidden, read-only, archive

E:\>cd autorun.inf → change directory

E:\autorun.inf\>md .\con\ → .\con\ is a windows system folder. It cannot be deleted conventionally.

E:\autorun.inf\>exit → exits command prompt. Input “help” without quotes for a list of commands.

Disinfecting:
The easiest would be to plug the usb to a linux os and then delete the suspect file. Or you can
1. go to command prompt.
2. Now input “attrib -s -h -r -a *.*” without the quotes (*.* means any file name with any extension. In other words, all files and folders).
3. Then “del virusname.extension autorun.inf”.

If the host is already infected, it will be a bit more difficult.
1. Find the suspect file. This should be the priority so you could easily delete all instances. Autoruns, startup lists, and MSConfig can help you. Don't delete anything. Just find out where they are. Usually there are three copies of the file. In the users folder, in the main drive, and in other drives present.
2. Reboot in safe mode and repeat the process above (command prompt to deleting).  To be on the safe side, run ccleaner and clean previous system restore images.

Or if safe mode is unavailable,
1. go to command prompt.
2. Input “tasklist” and identify the virus image name.
3. Now input “taskkill /f /t imagename” to forcefully kill the virus from the process and all other processes launched by the virus.
4. Now you can proceed to cleaning/deleting the virus.

In other cases, the steps are less complicated. Simply go to Tools > Options > View tab, untick Hide extensions for known file types, then apply. Now remove the extensions of the virus(es) and replace it with something like *.quarantine or *.p4l8!3. Reboot. Locate the renamed files then delete. Reboot again then use a registry cleaner and an antivirus scanner to remove leftovers.

A variant would be using the NTFS file format. However, I've had experience and reports from other people that Mac and some Linux variants have difficulty reading the format if not altogether failing at it. If you would like, loverboy posted a helpful link which would be friendlier than this:
loverboy wrote:An interesting reading about this subject
http://www.wilderssecurity.com/showthread.php?t=224516
Post Reply