Foil Conficker Get Rid of AutoRun

OK, this doesn’t actually foil Conficker, but it does block one of the attack vectors and prevents many other threats from automatically infecting your computer too,

It is the longest standing un-patched Microsoft vulnerability and Microsoft calls it a “feature”. The idea of autorun is to attempt to make it so that a person can use a computer with a minimal amount of knowledge. The way autorun works is that when you use removable media, such as a USB key, a CD, etc., Windows will automatically look for a file called “autorun.inf” and if it is there then Windows will do what the file says to do. The idea was that a user doesn’t have to know how to double click on setup.exe, they just put a CD or USB key in and the program runs itself. The problem is that the bad guys know that and often use autorun to install malicious software as soon as a USB drive is plugged in. Conficker exploits this as well

In 2008 more than 1 out of every 15 threats we detected were using autorun.inf to help infect users. In January, nearly 1 out of every 10 threats we detected at ESET used autorun. Microsoft does not provide a truly effective solution for disabling autorun and the partial solution they suggest is cumbersome. My friend, Michael Horowitz, who blogs at http://blogs.computerworld.com/horowitz, recently shared a real solution with me. You can read more about it on his blog from January 30th (http://blogs.computerworld.com/the_best_way_to_disable_autorun_to_be_protected_from_infected_usb_flash_drives). The fix works with XP and Vista.

Here’s where it gets a little bit techie. The fix involves creating a registry key. Michael provides a link to a program to do this on his blog, but I’ll tell you how to create the file here.

You need to use something like notepad, or if you use Word, then you must save the file as a plain text file, not a document. The file extension must be .reg. alternately, you can create the registry key by hand if you are so inclined.

Here are the contents of the registry file. You can copy and paste everything between the dashed lines into your file. You might name it, noautorun.reg, but the name isn’t as important as the final extension.

Please note, the second line wraps, but it is really a single line.

——————————————————————————————
REGEDIT4
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIniFileMappingAutorun.inf]
@="@SYS:DoesNotExist"
——————————————————————————————

When you create and then run the registry file it create a key called Autorun.inf in HKLM/Software/Microsoft/Windows Nt/Currentversion/IniFileMapping . The value of the key is @=@SYS:DoesNotExist.

For extra security you can go to the new autorun.inf key and set some special permissions. I go into the special permissions, add “everyone” and then deny all access except to read and query the key. This should prevent malicious software from changing the value of the key in almost all cases.

The Microsoft solution is ineffective and breaks Windows Media Player. When you use Microsoft’s solution, each time you change a CD for Media player you have to close and re-open Windows Media player for it to recognize the new disk. With the solution I am suggesting Windows media player still recognizes when you change a disc.

Giving credit where it is due, a guy named Emin Atac came up with this approach. There are few known side effects of this approach and none are as bad as the side effects of allowing auto-infect, er… autorun.

To undo the modification you can manually delete the key that was created, or use the same reg file, but place a minus sign in front of the second line… right before [HKEY….

If you have questions about this or any general security topics, feel free to email me at askeset@eset.com

Randy Abrams
Director of Technical Education

Author ESET Research, ESET

  • http://www.settingsbackup.com Incredible Mouse

    Small typo in the first line..

    “[..it does block one IF the attack vectors and prevents many..]”

    Should read: one OF the
    I’m being picky. Ignore me.

  • http://www.riogrande.com Richard

    We just got something from “DHL” and it contained a file called DHL_HELP, that appparently DHL says has a virus, I looked on the server that was hosting the customer and it had a file called DHL_HELP.exe file running, I couldnt find any info on this which makes me think its brand new, have you guys heard of this? I was thinking it might be related to Conficker

  • David Harley

    It’s not actually Conficker, but it’s a known Trojan Downloader. Thanks for letting us know.

  • David Harley

    Thank you, Mr. Mouse. :) Fixed.

  • Peter

    Dear Mr. Abrams,

    “[Please note, the second line wraps, but it is really a single line.

    ——————————————————————————————
    REGEDIT4
    [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIniFileMappingAutorun.inf]
    @=”@SYS:DoesNotExist”
    ——————————————————————————————]”

    Do you mean that @=”@SYS:DoesNotExist” must be typed right after ‘Autorun.inf]’ without a space.
    Please kindly instruct. Thanks.

  • Peter

    Dear Mr. Abrams,

    I found the answer from the site you mentioned:
    (http://blogs.computerworld.com/the_best_way_to_disable_autorun_to_be_protected_from_infected_usb_flash_drives)

    “Note that there are three lines in the file, the middle line may wrap when displayed by a web browser, but it needs to be a single line in the .reg file.”

    Thank you.

  • DC

    “When you create and then run the registry file it create a key called Autorun.inf in HKLM/Software/Microsoft/Windows Nt/Currentversion/IniFileMapping . The value of the key is @=@SYS:DoesNotExist. ”

    Actually, the value of the key is @SYS:DoesNotExist, isnt it?

  • Art Lewis

    Rather than asking people to make complicated registry changes themselves, why not just use Panda Security’s “vaccination” program that supposedly disables autorun? [Edited]

    DOES THIS WORK? AND DOESN’T IT DO THE SAME THING AS YOUR ADVICE, EXCEPT A LOT EASIER?

  • David Harley

    Panda’s vaccine sounds like a good idea for some people, and if you’re going to automate autorun disabling, it’s safer to go with a utility from a reputable antimalware company than with the first link you pick up off a google search, which may or may not be innocent/genuine/useful.

    I’m not going to link to this tool, because I haven’t tested it or looked at it in detail (when I upgrade to a 28 hour day, I may have time to do that…), and there are actually quite a few utilities that claim to do this. There also seems to be some confusion as to how permanent the process is in some scenarios, and sometimes you -may- need to turn Autorun back on temporarily.

  • http://www.wire-sculpture.com Jewelry Making Supplies

    In response to the post:

    We just got something from “DHL” and it contained a file called DHL_HELP, that appparently DHL says has a virus, I looked on the server that was hosting the customer and it had a file called DHL_HELP.exe file running, I couldnt find any info on this which makes me think its brand new, have you guys heard of this? I was thinking it might be related to Conficker….

    Have you seen this issue come up since, or was it only a one-time email from “DHL”. I just ask, because we recently got something very similar.

  • http://www.eset.com Randy Abrams

    A similar comment was posted quite a while back. This is a long running scam. The bad guys are always changing the malware associated with it though. The email did not come from DHL.

  • http://scottellis.org Scorellis

    I’m a little confused. I run ESet on this machine and I just plugged it in. ESet started popping an alert window telling me I had an autorun virus. This autorun file, according to ESet, tried to access the explorer.exe and one other file…I want to say it was SVCHost but don’t quote me on that. Anyway, i tried to open the file in notepad and then in a hex editor (that’s right, I read hex) and couldn’t. My asusmption is that I had a virus but am also thinking that ESet is actively trying to overprotect me. I am not sure which. Please let me know which it is or direct me to the forum where I can find out? And also, how may I check and see what other sorts of things ESet has in store for my future? Perhaps they’d like to let me know how many kids I’m going to have, or where I will be working next year, or what kind of car I should buy? Or where I should shop?

  • http://scottellis.org Scorellis

    SOrry, meant to say “I just plugged a USB drive in.” Not just “it.” I’m only halfway into my second cup of coffee…

  • CaesarRupus

    Hey,
    I use a wireless net card for internet connection. After I inserted a pen drive with autorun.inf, the network gets disconnected after sometime and never connects back even if I click connect button. It has something to do with svchost.exe and I have to restart my comp every 15 minutes to connect to internet.. My antivirus Avast keeps detecting iu82.exe every now and then. Is this related? How do I solve this?

  • Randy Abrams

    I recommend you contact Alwil who make Avast. We do not offer product support through the blog, and if we did, it would not be for another vendor's product :)
     

  • AK_David

    First, I have a suggestion if possible, could this fix be put in eset's products as a check box (having the program go edit the registry)?  That would help many people that other wise wouldn't see this article realize there is a easy way to make your computer much more secure.  I searched around and didn't seem to find any mention of Eset products already being able to disable autorun. 
    Second, has anyone tried this on Window 7 yet?   I'm new to window 7 and while I've heard they have improved the situation with autorun problems in it I still don't feel safe and looking in the autoplay control panel don't even see a way to disable autorun.inf files on removable drives like USB drives etc.  Is Windows 7 setting for disabling autorun in another location?  I noticed that windows 7 help at least has a clearer definition of the difference in autorun and autoplay than they use to have but they still don't appear to admit to or point out the need to disable autorun.
    Thanks for this article, even though I also read Michael Horowitz's article and the Nick Brown blog it mentions where he describes this solution of Emin Atac.  I also found it at the US-CERT gov site, I feel better using this procedure now having someone from ESET verify it.
    Thanks for your time and efforts

  • Randy Abrams

    I don't set the specs for ESET products, but I doubt we will add a feature to open regedit. If it is a problem to manually open it, then the user probably shouldn't be using it as they can break their computer if they get things wrong. ESET products do not disable autorun as autorun is a choice that users need to make for themselves. If a person wants autorun then it is not our place to say no to that.
    I will address Windows 7 and autorun in a separate blog.
     

  • AK_David

    Thanks for the response.  I think I must of been unclear though, I did not mean for the option to just open regedit for the user.  I meant for it to present a check box in advanced settings area that stated something like:
    "Check here to Disable Autorun" – Autorun.ini files can expose your system to unnecessary risks.  Most users do not need or use the functions provided with autorun so will have no harmful effects from disabling it.  Un-check the box to activate autorun again if you end up needing it. 
    Its some what of a wordy example but I'm sure the professionals there could shorten it up a bit should the idea be implemented.  It could include a link to this blog or an official Eset info page about autorun for a further more detailed explanation of the threat and effects disabling autorun can have.  If a user checked the box Eset could simply make sure the registry value was changed to disable autorun.  I've heard of other security and anti-virus applications having a setting to disable autorun (how they go about registry key or otherwise that I do not know).  I just know the average user wont ever read up on or understand the risk autorun poses to them let alone be able to safely head into the registry to do anything about it.  I do not even know to what level eset monitors and protects against autorun style attacks but I am hoping it is very thorough in how it handles it already.  By Eset reminding the customer in preferences of the risks and making it easy to fix with a simple checking of a box it would both improve the customers security as well as help stop the spread of malicious code out there.
    Thanks again for taking the time to respond, I look forward to reading your Windows 7 / autorun blog when you post it.  =)
    Ak_David

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

36 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.