Jan 8, 2008

How to disable autorun in Windows XP for Flash Disks

I well remember good old days when the technical staff in school's computer department did not allow any floppy disks to be inserted into any computers. Floppy disks are simply dead now, and so are the viruses that were spread via them.

These days most people carry flash disks all around with themselves, and now is the best time for many worms and viruses to spread with them. How?

Most viruses and worms simply take advantage of a weak point in Window XP operating system, which is its automatic execution of auto run files for removable devices (and also all fixed drives).

-Immune your Flash Disks:

When you insert a flash disk onto a computer, Windows XP looks for a file called autorun.inf which includes the path for Windows to execute the malicious virus in your disk. Your system is simply infected with the virus then. If you are lucky and have an updated anti virus, you might get the chance of killing the nasty program before its execution. However, in many occasions, this is not the case.

And here is a trick:
1- Delete the autorun.inf file in your flash disk
2- Create a
folder and rename it to "autorun.inf" (without the " marks)
3- Set the folder's attributes to read only and archive/hidden
4- Create a
file and rename it to "Recycler" (without the " marks)

Poor nasty viruses and Trojans can not longer copy themselves to your disk. This is a good starting step in sterilizing your work place from infected flash disks.

Here is more information on what most worms and viruses do:

1- They first create a registry entry in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" so they are executed the next time your start Windows.
2- They might create autorun.ini files under all fixed drives and copy themselves so they are executed automatically by Windows even if you reinstall your operating system (This is what Win32/Malas.B - Bindo.worm does)
3- They hide themselves and copy themselves into many system folders with various tricky names, like svchost.exe, OfficeUpdate.exe and many other names.
4- They disable folder options in Windows by modifying "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" Nofolderoptions to 1. This also takes advantage of a feature in Windows XP which hides extensions for known files. You open a folder in Windows, while you have actually executed a virus which has changed its icon and name (Like "New Folder.exe" virus)
5- They can also disable Window XP system restore, so you might never get the chance of going to the point where your system was clean.

Some other viruses also disable task bar (no task manager access), registry access, and also use other tricks to just lock you away from your system.

So, be careful with flash disks. Be careful with Windows XP's auto run feature, and remember that your system gets infected in a blink of an eye, and you might lose your golden time with a simple mistake.

This is our case currently in the office and I am so wasted these days with flash disk viruses... :(

1 comment:

kailash,hyderabad said...

Excellent.Its very helpful.Thanku soooooooooo muchhhhh...