Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA
| Disabling 'Autorun' on USB and beyond. Need help.
Ok, i recently inserted a friends USB stick into my laptop to copy some pdf files to my desktop.
Before i could open the folders contained in the USB, a warning came up by my resident virus-scanner that it had detected some 'Troj???.exe' file, and it had deleted it!
(Later i did a full scan, nothing is infected now, the laptop's clean)
So, i came across a tip on the net about TweakUI, and have disabled autorun/autoplay for my DVD and USB drives.
My question is, without autorun, will the virus automatically run, once i manually open the folder in the USB drive?
AND
Is it a good idea to disable autorun on ALL drives, operating system drive including? Will windows (XP Pro+SP2) be affected adversely by this?
Please help!
--
Alex Jones Bullhorning Bilderberg.
»www.jonesreport.com/articles/211···erg.html |
|
no_one
@QWEST.NET
| To me you need one safe very lockdown computer for bank secure transactions etc. Then a fun but less secure computer with backups(backups on the secure one also) or that vm computer for fun stuff.
Will the condom break, is it made in China, is the girl so crazy it comes off.
You need a virgin clean computer then a nasty computer as secure as you can but if all blows up image it back. |
|
jansson_mark
Markus Jansson
Premium
join:2001-08-05
Finland
3 edits | reply to Shriyash
said by Shriyash  :
My question is, without autorun, will the virus automatically run, once i manually open the folder in the USB drive?
No, it wont run. However, antivirus might still spot it on the stick, since its resident scanner might still scan it, even you dont run it.
quote:
Is it a good idea to disable autorun on ALL drives, operating system drive including? Will windows (XP Pro+SP2) be affected adversely by this?
Its very good idea and it has no bad effects. Im not sure what you mean by disabling autorun on operating system driver...you can only disable it generally on CD/DVD/USB:s...
Its also advisable to disable firewire ports, since firewire can be used to manymany nasty things. |
|
Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA
| Ok, snapshots will be better.
In the first pic, the options are checked by default.
In the 2nd pic, i have disabled Autoplay in the G: and H: drives, which are my DVD and USB drives respectively.
In addition, in pic 3, i have unchecked the 2 options seen.
So you are saying that even if i uncheck Autoplay in C: D: E: and F: drives(shown in the firstpic) it should be ok?
Also, yes, the scanner might still detect it,
but the Trojan wont automatically run right,
because that autorun.inf file even though present in the USB stick, it is hereby prevented from running. (?)
--
Alex Jones Bullhorning Bilderberg.
»www.jonesreport.com/articles/211···erg.html |
|
Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA
| reply to Shriyash
For those interested in Tweak UI and other 'Microsoft PowerToys for XP', you can get them here:
»www.microsoft.com/windowsxp/down···oys.mspx
--
Alex Jones Bullhorning Bilderberg.
»www.jonesreport.com/articles/211···erg.html |
|
EGeezer
Summertime -
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
·AT&T CallVantage
| reply to Shriyash
AutoRUN is not the same as autoPLAY. I suggest a full read of the topic »Blocking autorun
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... ) |
|
mysec
Premium
join:2005-11-29
| reply to Shriyash
said by Shriyash :So you are saying that even if i uncheck Autoplay in C: D: E: and F: drives(shown in the firstpic) it should be ok?... because that autorun.inf file even though present in the USB stick, it is hereby prevented from running. (?)
For any drive disabled, an AutoRun.inf file will not run from the root of that drive.
I've tested with both types of AutoRun.inf files:
Another test is to insert a CD installation disk that has an AutoRun.inf file. The setup.exe file will not automatically start if your CD drive is disabled in TweakUI.
----
rich |
|
Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA
| reply to EGeezer
OH!
i didnt realize that Autorun is NOT the same as Autoplay 
Thanks for posting this link EGeezer.
»windowssecrets.com/comp/071108
Quote from the above website:
...Unfortunately, simply turning off AutoPlay, a separate feature, isn't enough to prevent AutoRun from introducing a rogue program into your system.
...In XP, you can change the defaults for AutoPlay on a given drive by right-clicking the drive in Windows Explorer and choosing Properties. Click the AutoPlay tab and use the controls there to change the settings for different types of media.
Making changes in this dialog box, however, has no effect in preventing autorun.inf from being executed. And heres the solution too.
(quoted from the article).
Block AutoRun for all devices all the time
You might think that you could proect yourself from AutoRun by using two keys in the Registry known as NoDriveAutoRun and NoDriveTypeAutoRun.
However, self-described "low-budget hacker" Nick Brown points out that these keys can be overridden. A Registry key named MountPoints2 stores information about all USB flash drives and other removable media that have ever been connected to your computer. Brown says this cache overrides the Registry settings that turn off AutoRun.
The solution is to globally block autorun.inf files from executing, without trying to use the dialog boxes in XP and Vista to do this. Here's the procedure:
Step 1. Start Notepad or another text editor.
Step 2. Copy the following text from this page and paste it into your text editor (everything between the square brackets should be all on one line):
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
Step 3. Save the file with a name like NoAutoRun.reg, taking care to include the .reg extension.
Step 4. Right-click your .reg file and choose Merge. Confirm any warning prompts to add the information to the Registry.
The next time you insert a flash drive, CD, DVD, or other removable disc into your system, Windows will not execute the information in any autorun.inf file that may be present. 
Naturally, taking these steps means that the next time you put a game or installer disc into your CD or DVD drive, its software won't launch automatically. You'll have to open a Windows Explorer window or use a command line to launch the desired executable.
The benefit is a big one: a rogue program that you never intended to launch won't silently take over your system if you happen to insert a Trojan-carrying disc into a drive. |
|
Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA
| reply to mysec
Thanks mysec, but i realised after reading that article, that even if the Autoplay is disabled, still if you manyally double-click on the DVD/CD, it may be possible for the Autorun.inf thing to be launched!
So, permanently blocking Autorun is a better idea in situations like mine.
--
Alex Jones Bullhorning Bilderberg.
»www.jonesreport.com/articles/211···erg.html |
|
Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA
1 edit | reply to Shriyash
Err, im a little confused as i go thru this thread here, especially in the end 
»Blocking autorun
In my situation,
where i forsee myself inserting new USB's in the future,
will the solution quoted above my me (about creating the NoAutoRun.reg file)suffice to block Autorun and thus not allowing the Trojan/virus to automatically execute itself? 
--
Alex Jones Bullhorning Bilderberg.
»www.jonesreport.com/articles/211···erg.html |
|
OZO
Premium
join:2003-01-17
| reply to EGeezer
Yes, it's important to distinguish Autoplay from Autorun.
Autoplay is the way of starting (default) application from your computer based on the type of content in attached drive. You may keep Auptoplay always 'on' without ill effects.
Autorun - on the other side - is very dangerous and actually is an automatic way to be infected by potential malware. It's because by allowing Autorun you allow automatic execution of an application resided on the new attached media (e.g. USB drive).
To block Autorun from unexpected execution of potential malware you may want to change this registry value:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:B1
Unfortunately even with this setting (and due to current implementation of this feature by m$) there still be risks of running a malware. Read this my post explaining my point with some details.
--
Keep it simple, it'll become complex by itself... |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to Shriyash
Here are some hijackthis logs and fix to illustrate the problem some users are having out there this packer..
Bloodhound.Packed.Jmp Infection
»www.symantec.com/business/securi···-5627-99
That is being used to carry this badboy... 
W32/Autorun.worm.bx
Overview -
This detection is for a worm that attempts to copy itself to the root of any accessible disk volumes. Additionally it attempts to place an Autorun.inf file on the root of the volume so that it is executed the next time the volume is mounted.
»vil.nai.com/vil/content/v_144151.htm
In a blended threat...
»gladiator-antivirus.com/forum/in···ry201354
»www.bleepingcomputer.com/forums/···798.html
where this is added to their system
C:\Autorun.inf
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo1.dll
D:\Autorun.inf
F:\Autorun.inf
with a lot of other crap.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
mysec
Premium
join:2005-11-29
| reply to Shriyash
said by Shriyash :Thanks mysec, but i realised after reading that article, that even if the Autoplay is disabled, still if you manyally double-click on the DVD/CD, it may be possible for the Autorun.inf thing to be launched! So, permanently blocking Autorun is a better idea in situations like mine.
That article is talking about changing the defaults for AutoPlay on a given drive by right-clicking the drive in Windows Explorer and choosing Properties.
Forget about AutoPlay vs AutoRun.
You are concerned about preventing the AutoRun.inf file from executing any command.
With the drive disabled in TweakUI for WinXP the AutoRun.inf file will not do anything.
To test, insert an installation CD that runs a setup.exe or install.exe file, first with the CD drive enabled in TweakUI and watch your setup.exe file run.
Repeat the test with the CD drive disabled in TweakUI and the setup.exe file will not run.
Double-click the drive icon in My Computer and it will not run.
This applies also to U3 type USB drives
----
rich |
|
EGeezer
Summertime -
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
| reply to Shriyash
said by Shriyash :OH! i didnt realize that Autorun is NOT the same as Autoplay Thanks for posting this link EGeezer. Well, I can't take full credit for the distinction between the two - Wildcatboy and NickBrown 's posts in particular provided me with a better understanding of the two functions (although we might vary on our opinions of how much of an exposure autorun may be).
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... ) |
|
EGeezer
Summertime -
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
|  reply to Shriyash
Related articles
How many folks, when finding - or given - a free USB drive with a well-known vendor logo on it would fail to stick it in a PC at some point?
How many, when given a new digital picture frame would fail to plug it into the USB port of their PC as instructed in the accompanying documentation?
We figured we would try something different by baiting the same employees that were on high alert. We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us.
Although this was done in 2006, I'd surmise this would still work in many instances.
See article here.
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... ) |
|
planet
join:2001-11-05
Olmsted Falls, OH
·Cox HSI
| reply to mysec
Re: Disabling 'Autorun' on USB and beyond. Need help.
said by mysec :
With the drive disabled in TweakUI for WinXP the AutoRun.inf file will not do anything.
I'm not sure I understand this. Doesn't TweakUI only disable autoplay on the drive? TweakUI isn't disabling the drive? So, wouldn't autorun still be an issue? If you are correct then using Tweak UI is the simplest solution to preventing autorun for me. |
|
OZO
Premium
join:2003-01-17
| No, TweakUI is not disabling the drive and TweakUI may be the best solution for you (personally I prefer to collect all such settings in a reg file that I'll execute at a new OS re/installation time).
When you apply TewakUI (clean "Enable Autoplay for removable drives" checkbox, see the last picture) all it does it changes registry value that I've mentioned in this post. The only difference is - it changes setting in HKCU (Current User) and not HKLM (Local Machine) as I mentioned, and, keep in mind, that Local Machine key has priority for that particular setting. It will protect your computer from Autorun executing some program from the new media when you insert it. But, again, it some cases you will be able to start that malware without your actual intent to do so (see my reference earlier).
--
Keep it simple, it'll become complex by itself... |
|
mysec
Premium
join:2005-11-29
| reply to EGeezer
Re: Related articles
said by EGeezer :Although this was done in 2006, I'd surmise this would still work in many instances. See article here.
I mentioned in another thread a comment I made two years ago regarding this parking lot baiting, that it showed that
1) people are gullible
2) the computers involved had no protection against installation of unauthorized executables by remote code execution
said by EGeezer :How many, when given a new digital picture frame would fail to plug it into the USB port of their PC as instructed in the accompanying documentation?
I would plug it in -- why not?
These digital media exploits are no different than any other exploit using remote code execution -- it's just that the re-emergence of the AutoRun.inf file as the trigger (remember floppy disk exploits?) has created all sorts of media sensation.
Even in this forum, Picture Frame Trojan unstoppable!!!
How is AutoRun.inf as a trigger any different than iFrame, or animated cursor (.ani) etc, etc? They are all nullified by preventing non-White Listed executables from installing. That is the final stop gap.
For those wanting to block the AutoRun.inf file from executing, there are two sure ways, to recap:
1) The IniFileMapping\AutoRun.inf key which tells Windows that AutoRun.inf file does not exist
2) Using TweakUI to disable the drive from Auto-running anything. More in next post.
----
rich |
|
mysec
Premium
join:2005-11-29
1 edit | reply to planet
Re: Disabling 'Autorun' on USB and beyond. Need help.
said by planet : said by mysec :
With the drive disabled in TweakUI for WinXP the AutoRun.inf file will not do anything.
I'm not sure I understand this. Doesn't TweakUI only disable autoplay on the drive? TweakUI isn't disabling the drive? So, wouldn't autorun still be an issue? If you are correct then using Tweak UI is the simplest solution to preventing autorun for me.
The labeling in TweakUI is misleading.
The section AutoPlay|Drives controls the NoDriveAutoRun Registry Key at
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Open to this Key and watch the binary value change as you check|uncheck a drive letter in TweakUI.
When you uncheck the CDROM or USB drive letter to disable it, nothing will AutoRun from that drive.
To prove this, you can insert an installation CD which Auto runs a setup.exe file, and watch the
Shell\Autorun\Command entries written to the Drive in the Mountpoints2 Registry Key at
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
Here is an installation CD with this AutoRun.inf file:
I insert the CD with the CD drive enabled in TweakUI.
Windows reads the AutoRun.inf file, writes the Shell\AutoRun\Command to the Registry:
___________________________________________________________
and setup.exe launches -- well, it attempts to launch, but because it is not on my White List,
it can't run without my permission:
___________________________________________________________
Now, with the drive disabled in TweakUI I insert the CD: the Autorun.inf file cannot be read and nothing is written to that drive Key, so nothing can tell setup.exe to run:
________________________________________________________
The other setting in TweakUI is Autoplay|Types which controls the values in NoDriveTypeAutoRun at
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
You can watch the changes (0b1 and 0b5) as you uncheck the boxes in TweakUI)
Ozo has covered this Registry Key in above post, and has some reservations about it. With the drive types unchecked, I have found it to prevent AutoRun.inf from executing in the tests I've run -- even using Shell commands in the AutoRun.inf file -- but will defer to his reservations.
Disabling the Drive does prevent in all cases.
These are the tests I ran with several digital picture frame exploits analyzed by TrendMicro using the exploit AutoRun.inf file and a real trojan:
»www.urs2.net/rsj/computing/tests/auto-inf/
My conclusions:
1) White List security measures for absolute protection against installation of malware executables by remote code execution.
2) TweakUI to disable the drive in Autoplay|Drive if you want to prevent the drive from executing the AutoRun.inf file.
----
rich |
|
Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA
| reply to mysec
Re: Related articles
said by mysec :For those wanting to block the AutoRun.inf file from executing, there are two sure ways, to recap: 1) The IniFileMapping\AutoRun.inf key which tells Windows that AutoRun.inf file does not exist 2) Using TweakUI to disable the drive from Auto-running anything. Got it. |
|
