Sunday, October 3, 2010

Autorun, a bungee jumping for viruses

Today many types of malwares use autorun function in windows to execute their codes. They usually put an "autorun.inf" file in the root of the discoverable drives.
If you wanna prevent it to create the file, it's an idea to create a folder named "autorun.inf". this way the software can't create the autorun.inf file because already there is a file with the same name in there (yes, folder is a kind of file). This way you may prevent your own drives and flash drives to infect, but what about the other's flash drives? Or what if the software replaces your file with its own huh?!
So look at the more effective methods here.

Method 1: If you wanna disable the autorun function effectively, you can use Nick Brown's idea. Follow the instructions below:

1- first if you set any value for NoDriveTypeAutoRun (probably you changed the "95 0 0 0" to "91 0 0 0" to disable the autorun function), delete the value. because that's not gonna help you really!
2- you can disable the autorun function by downloading and running this file:

http://www.4shared.com/file/qaA2sIZE/disAutorun.html

The above file is just a .reg file (inside the rar archive) to add a key with a value to the windows registry. Instead of using the file you may modify registry manually. To do this follow this simple steps:

  1. run the regedit.exe form start->run or from the start search box in Windows Vista/7.
  2. go to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\" and then add a key and name it "autorun.inf".
  3. there is a string value named "(Default)". Double click on it or right click on it and then choose modify and change the value Data to the "@SYS:DoesNotExist".
"autorun.inf" file is a standard Windows INI file, so the appropriate API calls are used by Windows, when fetching its settings. These API calls can be redirected using the INI file mapping method. In this case, it says “whenever you have to handle a file called AUTORUN.INF, don’t use the values from the file. You’ll find alternative values at HKEY_LOCAL_MACHINE\SOFTWARE\DoesNotExist.”

This method is the best for XP and it works in windows Vista or 7 too.

Method 2: Eigher in Windows vista/7 you can use the group policy to disable the autorun function. To do this you can follow the bellow instructions:
  1. Click Start, type Gpedit.msc in the Start Search box, and then press ENTER.  If you are prompted for an administrator password or for confirmation, type the password, or click Allow.
  2. Under Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Autoplay Policies. 
  3. In the Details pane, double-click Turn off Autoplay. Click Enabled, and then select All drives in the Turn off Autoplay box to disable Autorun on all drives. 
  4. Restart the computer.

Of course, there are other ways to disable autorun function or prevent unwanted autoplay. For example you can use anti-viruses or what so ever, but I think thess methods are more secure and effective.

more info on:
http://antivirus.about.com/od/securitytips/ht/vista_autorun.htm
http://support.microsoft.com/kb/967715
http://cleanbytes.net/disable-autorun-to-prevent-computer-virus-infections-usb-flash-drives-threats
http://techblissonline.com/disable-autorun/