Prevent Autorun-driven Virus Infections

USB flash drives and portable hard disk drives are commonplace today as PCs and digital media are conquering the market. But, while ease of use and portability of the UFD and HDD [as well as their digital content] increases, the spread of malware[1] on them also increases. There are several ways to prevent this from happening,[2] with or without the help of an AV product.

Case 1: Clean PC+AV, Infected UFD/HDD; Automatic

This is the easiest, though not necessarily the best solution[3] to detect and clean autorun-driven malware.

  1. Update the anti-virus product on your computer before plugging in the portable drive.
  2. Do not open your drive contents after plugging.
  3. Scan your portable drive for malware immediately.
  4. Clean all infections found by your anti-virus.

Case 2: Clean PC, Infected UFD/HDD; Manual

In some cases, an anti-virus product or an update is not available, or the anti-virus product is just not strong or smart enough.[4] We could do a manual search and destroy for the malware.

  1. Plug on the drive to your computer.
  2. Use the Folders Explorer Bar[5] to open the drive contents on Windows Explorer, instead of double-clicking the drive icon on the main window; or
  3. Right-click on the drive icon on the main window, and select Explore or Open, and not Autoplay or Autorun
  4. Look for the file named autorun.inf.
  5. Open the file using Notepad or the text editor of your choice.
  6. Take note of the line that says, open=<path\filename.ext>, where <path\filename.ext> is the location of the malware itself.
  7. Locate the malware and delete it along with the autorun.inf file.

Case 3: Infected PC

You would know if your PC is already infected when it copies the malware and the autorun files to your portable drives automatically. If your AV software couldn’t handle cleaning your system from it, or if you have none, consider browsing the Web for manual detection and cleaning procedures as different variants and, therefore, locations of them would be hard to summarize in this post. Try Trend Micro‘s Virus Encyclopedia.

Case 4: Clean PC and UFD/HDD; Prevention

Here’s the nifty part, this is based on a hack from a friend who works on an anti-virus company.

  1. Create a folder on the root of your portable drive.
  2. Rename it as autorun.inf.
  3. Right-click on the folder, and click Properties. Alternatively, select the folder, then go to the File menu, and select Properties. KB shortcut: [Alt]+F, R
  4. Under the General tab, on the Attributes section, check Read-only and Hidden. KB shortcuts: [Alt]+R, and [Alt]+H, respectively

The above instructions would prevent other infected computers from copying an autorun directive to your portable drive. It doesn’t necessarily mean an instance of the malware itself would be prevented from being copied as well. It just protects you from your own muscle memory of instantly double-clicking the drive icon to open the contents, but instead, running the malware to be installed on your clean PC.

Footnotes:

  1. ^ malicious software; collective term for viruses, worms, trojan horses, spyware, et al.
  2. ^ Cases assume you’re on the virus-prone Microsoft Windows platform.
  3. ^ Your AV would probably delete only the instances of the malware and not the autorun.inf file for it is intended as a convenience feature for legitimate software manufacturers. You could safely delete the autorun file manually.
  4. ^ This pertains to my experience with a fully-updated AVG Anti-Virus Free Edition on my classmate’s notebook, which was not able to detect a simple autorun-driven malware.
  5. ^ If not visible by default, go to View on the menu bar, locate Explorer Bar, and then check Folders. KB shortcut: [Alt]+V, E, O

19 Replies to “Prevent Autorun-driven Virus Infections”

  1. i needed that… c=
    i have an anti-virus, inu-upd8 ko every week.. but still, a little more info wouldn’t hurt.. 🙂

  2. naalala ko tuloy ang paper season nung college! hehehe!

    gagawin ko na yang tips mo ngayon na. hehehe!

  3. As I have nothing beneficial to contribute to this entry and since I just feel like, well, bitching, allow me to say that you just missed me wearing my expensive waterproof thong! It’s only a one-day thing, dont ya know!? And hell no, I didn’t feel cold or anything. I guess the thong rendered my entire system cold proof or something. It isn’t expensive without the extra perks!!! Ktnxbai!!! ;-p

  4. @Jane: No problem 😉

    @July: “piz” ka dyan. LOL

    @Ate Lei: Print nang print from UFDs na infected? Ganyan din kami nung may formal report. 😀

    @Tala: Cold proof? Well, I’d say your expensive thong is worth every buck. Heh 😛

  5. Hmm, your post is half-baked. Not enough homework done I reckon, and not enough testing (although the testing part is understandable, software costs a fortune). I’d like to point out that a clean computer that is introduced to an infected USB flash drive will get infected the moment you plug it in, specifically because of the autorun feature built into Windows. You have to disable autorun prior to plugging in the infected flash drive. Second, most people who use free antivirus programs are unaware that the companies providing such give no assurance that their products work flawlessly. Once a computer is infected with certain flash-drive trojans, those free antivirus programs are useless against preventing the computer from infecting other devices attached to it. Nevertheless, you did try so I’d give you credit for that. By the way, PFD is a more suitable acronym for flash drives. It stands for “prostitute flash drive” hehe, which is pretty much what they are with the careless attitude people have with regards to PC security. I heard from my cousin about that uni were even the moron illiterate lecturers carelessly infect students’ PFDs; and she’s taking a computer course haha!!! At “the most reputable engineering school” at that!!! My point is, regardless of age, we all have a lot more to learn about computers, and will never run out of new things to learn about them. 73’s to you folks!

    P.S. I love hatemail, but I never underestimate the power of a fool with spamming software. So i’ll just pop by here regularly to see if anyone repudiates my remarks.

  6. Most users I know run Windows XP that, in my experience, asks the end user first if he/she likes to play media files (if there is any), to view photos in a slideshow (if there is any), to open the folder to view files, or to run the software contained inside (when there is an autorun.inf file), among others—a feature called Autoplay, which is similar to, but different from Autorun.

    So, I guess it wouldn’t immediately install the virus from an infected UFD the moment you plug it in. Unless, of course, you double-click the drive icon, and activate the default option of Autorun. My PCs would be infected from a lot of my friends’ UFDs otherwise.

    Do your homework.

  7. it sucks!!!
    u said bit correct!
    but MIND autorun.inf is bootable malware it just fuks registry u can’t do anything by using xp….
    Only way 2 get rid of this sting s 2 use linux and then edit regitry only way 2 kick ass of that bitch “autorun.inf”

  8. edit the registry from Linux? yeah right….
    anyway, you can override windows XP autorun feature if you keep shift button pressed while pluging in your portable media (CD-ROM, flash drive…) it will force windows to disable temporarily its autorun feature (while the button is pressed)

    autorun.inf is NOT BOOTABLE MALWARE… it’s just a text file with instructions for windows (what to run etc) if windows finds a file at the root directory in a drive it executes the instructions like “set an icon for the drive X:” , run a program and so on…

    Bootable is something that can be identified from the BIOS as an OS, and it must reside (partially) in the MBR of the media to put it simply…

    hacker is only right on one thing, USE LINUX! (I don’t believe that he/she runs linux by the way)

  9. Thanks for the information, even if I’m an computer geek I’ve never heard of such type of virus infection. But in my opinion a strong firewall will always do the job, but be careful how strong you make it. One time it turned off my whole Internet connection because it was a risky one.

  10. To prevent these kinds of viruses on infecting your PC, you need to disable autorun function in your computer, unfortunately, just shutting down autoplay is not a fix. You might think that you could protect yourself from AutoRun by adding two (2) keys to your Registry (NoDriveAutoRun and NoDriveTypeAutoRun) but these keys can be overridden by some programs.

    Solution is here:

    1. Start Notepad [Start Menu-All Programs-Accessories-Notepad] or right-click any empty space in your desktop then select New-Text Document
    2. Copy the following text. (note: Everything in between the square brackets should be in one line)

    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
    @=”@SYS:DoesNotExist”

    3. Save the file with a name (anything) like DisableAutoRun.reg (The extension .reg is the important part)
    4. Double Click your newly created registry file. Choose yes or continue to the warning that will appear.

  11. sometimes the autorun.inf file is HIDDEN.

    they mostly infect USB drives.

    To counter this strategy,

    1. goto the command prompt.
    2. type “dir /ah” this will list ALL HIDDEN FILES.
    3. you can’t delete them yet coz they’re hidden. most of the time the AV detects them, but to be surem you can do this manually.
    4. type “attrib -filename here- -s -h -r”
    5. they will be visible now after you type “dir”
    6. delete the previously files. remember them of course!
    7. warning: don’t go deleting hidden files on windows folders haphazardly. before doing so, make sure that it is malware if you are suspicious about it.

    cheers

  12. Excellent, it worked with autorun.inf but it can also work with the virus itself, svchost.exe in the s-4…..-9… folder (inside driver folder, it’s hidden), though it can be tricky.
    You have to create a folder named the same in other place, let’s say your desktop, and two subfolders named svchost.exe and Desktop.ini, configure them as Read-only. Delete the “original” folder s-…. (usually looks like the recycle bin), and VERY quickly drag and copy the folder you just created for preventing overwriting (remember Read-only!).

Comments are closed.