Monday, October 15, 2007

Avoiding and detecting autorun.inf viruses for USB drives

I don't know if the solution I found is complete but I’ll try to explain it, and if any of you have any suggestion to improve my method please feel free to add a comment.

I always have to save files on my USB drive from different computers and then copy those files to my own PC. The problem is that I was being frequently infected with virus and Trojans.


This is what I found:

Sometimes when you insert a CD with software into your CD tray that program will be auto executed or will give you the option to install it by popping up a screen. That is possible thanks to a special file called autorun.inf (located on the parent directory of the disk), inside that file are the options that specify the program that is going to be auto-executed or the file that is going to be auto-opened, and even what is going to happen when you double-click on that drive's icon (shell).

Now, when you insert an USB drive on a PC infected with a virus, the virus can create a copy of itself on your USB drive and use an autorun.inf file to try to infect any other computer you insert that USB drive to.

When you insert your USB drive normally a window pops up, that is the autoplay function of Windows to open your drive’s parent directory easier.

Please notice that there is difference between autorun (is a file) and autoplay (is a Windows function).

Autoplay can execute the autorun.inf file so it’s important to disable it.

On Windows XP the autorun function for auto executing programs (virus in this case) on external drives is disabled (for CDs is activated by default). But there are ways you can infect your computer even when autorun is disabled.

A program (virus) can be auto executed by simply inserting your USB drive on your PC (that depends on the specific virus infection method).

There is another way to infect a PC by adding a shell command to autorun.inf, so when you make double-click on the icon of your USB drive on "My PC" for example the virus will be executed and installed on your PC.

More info on this link: http://www.usbhacks.com/2006/10/25/how-to-quick-intro-to-hacking-autorun-for-usb-flash-drives/

Other way a virus of this type can infect your PC through your USB drive is with the “U3 enabled” USB drives because they create a virtual CD drive and since CD drives have autorun activated by default there may be some ways to infect your PC by simply inserting the USB drive to your PC (I’m not sure about this).


So what I did to avoid viruses was:

1. Disabling autoplay for removable drives, this way virus won’t be auto executed. Some may find autoplay annoying too so here is how to disable it. This step is the most important to avoid viruses.

To disable autoplay go to Start > Run and type gpedit.msc in the window that pops expand the “Computer Configuration” option, then expand the “Administrative Templates” option and click once on “System”, on the right panel double-click on “Turn off Autoplay” and on the “Setting” tab check “Enabled”, Select “All drives” from the drop down menu, then click on Ok.

Then on the left panel go to “User Configuration” option, then expand the “Administrative Templates” option and click once on “System”, on the right panel double-click on “Turn off Autoplay” and on the “Setting” tab check “Enabled”, Select “All drives” from the drop down menu, then click on Ok.

2. Disabling autorun for CD drives (in case I insert a CD with virus or if it installs automatically other types of software without my consent).


To disable autorun on CD drives I did this:

Go to Start > Run and type regedit, then Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom.
Double-click the Autorun value, and type 0 for its value. (If it's not there, create it by selecting Edit > New > DWORD Value, and typing "Autorun" for its name.)
You may have to log out and then log back in for this change to take effect.

There is another way to disable autorun by pressing shift when you insert the CD to the drive, which will disable autorun only while shift is being pressed.

More information here: http://www.annoyances.org/exec/show/article03-018

3. To avoid shell commands never double-click the drive icon on “My PC” you could install a virus on your PC without even noticing it. This is for me the most important thing to do after having inserted your USB drive on another PC that could have any virus (don´t right-click and select "explore" on the icon neither because the virus may have a shell command named "explore").

4. Use the “Windows Explorer” LEFT panel to open your USB drive (to avoid shell commands).


Detecting and deleting the virus:

First you have to be able to view all hidden and system files.
Go to any folder and on the menu bar select “Tools” > “Folder Options” > “View” tab and check “Show hidden files and folders”, then uncheck the “Hide protected operating system files (recommended)” option. > Click OK.

After seeing the content of the parent directory of your drive you should check if there is an autorun.inf file inside, if you didn’t had one before there is a chance that there is a virus on your drive, in case you have one autorun.inf file on purpose open it and check that it’s not changed and specially search for lines of code like “shellexecute=” or “shell\open\command=” or any code you didn’t place on the file, normally the virus deletes the file and replaces it with it’s own, so for example if you had an “icon=” line for your drive’s icon when you insert the drive to a PC you won’t see your custom icon since the original file will be deleted, in that case start suspecting that there is something wrong and there could be a virus.

In case you find that there is a virus on your drive: first check the autorun.inf file by opening it with a text editor like notepad, there you can find the path of where the virus files (.exe, .scr, .doc.exe, etc…) are located.

Then delete all the files and folders the virus has created, remember to check all the folders for any suspicious files that may not be listed on the autorun.inf file.

Finally delete the autorun.inf file.


Remember:

If you don’t execute the shell command the virus won’t be executed and won’t install on your PC.


Here is an example of an autorun.inf file and what can be done with it:

[autorun]
open=program.exe (auto executes a program on a CD)
label=My Drive (changes the drive’s label)
icon=myicon.ico (changes the drive’s icon)
shell\install\command = program.exe (a shell command to run a program when you double-click on the drive’s icon)
UseAutoPlay=1 (when autoplay is enabled it auto executes programs as soon as you insert you drive to your PC)

Update: This applies for Windows XP and maybe some previous versions of Windows.

Also, Windows Vista and Windows 7 are safer when it comes to inserting an infected drive into your computer but still you have to be sure of any program you want to execute with autoplay, and also be careful with any shell command trying to trick you.

1 comment:

Anonymous said...

Interesting to know.