USB's and autoruns: Explaining Autoruns and Securing your USB

Well, if you’ve been at the forums looking for solutions to this problem, you must’ve encountered some of my posts and requests. My bad. Didn’t have enough experience then. You all should listen to SiberLynx and the guys. In this post, we will take a look at some of the misconceptions and methods of disinfection and prevention of infection, particularly on autorun-based malware which is basically the most common problem encountered in universities, internet shops, and even in computer shops (i mean to say those that sell computers and laptops. Bought one already infected. It hasn’t been touched they said. It was just-out-of-the-box they said).

Myth: The autorun.inf is a virus.

Truth: The autorun.inf is a system file used by Windows to automate common tasks involving external media. Technically, this is not a virus nor was it intended to be a threat. What it is, however, is a vulnerability exploited by viruses so that upon attaching a usb, immediately launches the virus, allowing it to infect the host computer.

Prevention: The best method to prevent an infection via autorun.inf is to turn that feature off. Windows 7 does not automatically use the autorun.inf which is good. For those others, you can use the free Panda USB Vaccine. For personal computers, you can simply opt to turn the autorun feature off (Google it). Of course, for university computers, you can go as far as disinfection, but not changing systems. I’ve done these without admin privileges, but i’ve seen some that wouldn’t allow me to do it. The inconsistency is perplexing, so I’m warning you beforehand of the difficulties you might encounter.

DIY: You can remove protect autoruns in both usb and windows manually. This, however, requires the use of the command prompt. To do this, simply:

1. Press windows+r. The “Run” dialogue box should appear.
2. Input in the field “cmd” without the quotes.
   The command prompt should appear (a window with a black background. Kinda like the one you see being used by hackers in movies).
3. Navigate to the autorun.inf. It is usually found in the primary system drive and the root directory of the USB (to locate it manually, go to Tools > Options > Under the View tab, untick Hide protected system files and then tick Show hidden files and folders > Apply then Ok. Now search for it).
4. Now delete the autorun.inf. Type in “attrib -s -h -r autorun.inf” and press enter. The file should now visible. You can skip this step as in most computers, this is not needed. However, it does ensure that the file can and will be deleted.
5. Then input “del autorun.inf” without the quotes.

Now to make an undeletable autorun.inf folder (a folder is much harder to delete and find for the virus. This method foils most attempts of deletion, but not all).

1. To do this, input “md autorun.inf” without the quotes.
2. Now to make this more difficult to remove, input “attrib+s +h +r +a autorun.inf” without the quotes. The folder should now become hidden (because some viruses don’t place anything in hidden folders. Don’t know why. Useless maybe).

Taking this a little further, we can make the autorun.inf virtually impossible to delete without a tool or a complete reformatting of the usb (don’t proceed to do this on a windows. It might cause conflicts. Not all systems are affected but better not risk it if you’re not yet familiar with repairing systems).
4. Navigate within the folder by typing “cd autorun.inf” without the quotes.
5. This time, make another directory. Input “md .\con\” without the quotes. The folder which will be created cannot be deleted by conventional methods. Using tools to unlock the file including Collomb’s famous unlocker results in a BSOD as tested 01:10:51 AM, 09/21/11. Now viruses cannot auto-launch to infect a host pc. It does NOT, however, prevent infection. It simply prevents the virus from launching itself.

Example:
Microsoft Windows [Version 6.1.7601]
Copyright 2009 Microsoft Corporation. All rights reserved.

C:\Users\Palbie>E:

E:>del autorun.inf → deletes the autorun.inf

E:>md autorun.inf → creates a folder named autorun.inf

E:>attrib +s +h +r +a autorun.inf → makes the folder attributes system, hidden, read-only, archive

E:>cd autorun.inf → change directory

E:\autorun.inf>md .\con\ → .\con\ is a windows system folder. It cannot be deleted conventionally.

E:\autorun.inf>exit → exits command prompt. Input “help” without quotes for a list of commands.

Disinfecting:
The easiest would be to plug the usb to a linux os and then delete the suspect file. Or you can

1. go to command prompt.
2. Now input “attrib -s -h -r -a .” without the quotes (. means any file name with any extension. In other words, all files and folders).
3. Then “del virusname.extension autorun.inf”.

If the host is already infected, it will be a bit more difficult.

1. Find the suspect file. This should be the priority so you could easily delete all instances. Autoruns, startup lists, and MSConfig can help you. Don’t delete anything. Just find out where they are. Usually there are three copies of the file. In the users folder, in the main drive, and in other drives present.
2. Reboot in safe mode and repeat the process above (command prompt to deleting). To be on the safe side, run ccleaner and clean previous system restore images.

Or if safe mode is unavailable,

1. go to command prompt.
2. Input “tasklist” and identify the virus image name.
3. Now input “taskkill /f /t imagename” to forcefully kill the virus from the process and all other processes launched by the virus.
4. Now you can proceed to cleaning/deleting the virus.

In other cases, the steps are less complicated. Simply go to Tools > Options > View tab, untick Hide extensions for known file types, then apply. Now remove the extensions of the virus(es) and replace it with something like *.quarantine or *.p4l8!3. Reboot. Locate the renamed files then delete. Reboot again then use a registry cleaner and an antivirus scanner to remove leftovers.

A variant would be using the NTFS file format. However, I’ve had experience and reports from other people that Mac and some Linux variants have difficulty reading the format if not altogether failing at it. If you would like, loverboy posted a helpful link which would be friendlier than this:

[UPDATE 04/06/2013]
Well, since a friend of mine traded her USB for my USB which was secured through NTFS, I had to make another one. While the link provided by loverboy does provide the essential and rather basic permissions needed, I soon found out (the hard way) that it does not completely protect from more recent and rather prevalent and annoying worms. Either that, or you forego writing files (and thus, any capacity of copying from other computers). Also, if in the rare case that your pc becomes infected, the USB is completely exposed having been granted full access in the host. Paranoid as I am, that I cannot ignore (especially considering that this PC is not exclusively mine). So I’ll share some of the permissions I use.

To begin with, familiarize yourself with the NTFS permissions.

1. Now then, after going through the trouble of immunizing your USB by placing an undeletable autorun.inf folder, create a folder and name it however you like. For matters of convenience and personal preference, I named it simply “Files”.
2. Right-click on the Autorun.inf folder you created earlier. Make it “Hidden”. Then select Properties and switch to the Security tab.
3. Under security, delete all Group or user names except “Everyone” by clicking Edit and then Remove.
4. Click OK, then Advanced.
5. Click Change Permissions from the resulting dialog box, and then Edit.
6. From the resulting box, change the Apply to option to “This folder and files”, then deny everything except “Read Attributes”.
7. Select the folder “Files”. Go to the Security tab in the Properties.
8. Repeat steps 3-5
9. This time, change the Apply to option to “Subfolder and files”, then deny the ff:
   a. Write attributes
   b. Write extended attributes
   c. Traverse folder/execute
   d. Take ownership
   e. Change permissions
10. Allow, on the other hand:
    a. Traverse folder/execute file
    b. List folder/read data
    c. Read attributes
    d. Read extended attributes
    e. Create files/write data
    f. Create folders/append data
    g. Delete subfolders and files
    h. Read permissions
11. Deselect the folder and right click anywhere outside of it. Select Properties and switch to the Security tab.
12. Under security, delete all Group or user names except “Everyone” by clicking Edit and then Remove.
13. Click OK, then Advanced.
14. Click Change Permissions from the resulting dialog box, and then Edit.
15. From the resulting box, change the Apply to option to “This folder and files”, then deny the ff:
    a. Traverse folder/execute file
    b. Read extended attributes
    c. Create files/write data
    d. Create folders/append data
    e. Write attributes
    f. Delete subfolders and files
    g. Delete
    h. Change permissions
    i. Take ownership
    while allowing everything else, and then tick the option “Apply these permissions to objects…”
16. Click Apply then OK.

Test out this config. It should prevent you from:

1. Creating any file/folder outside the “Files” folder,
2. Deleting the Files folder,
3. Viewing the contents, making any modifications and deleting the autorun.inf folder and everything inside it,
4. Changing the attributes of either Files or Autorun.inf folder and everything inside it.

and allows you to:

1. Create files and folders within the “Files” folder,
2. View, read and execute the contents of the “Files” folder,
3. Delete files and folders within the “Files” folder,

As all immunization, it does not completely safeguard you from infection, but prevents it by not allowing any worm or malware for that matter to set an autorun.inf file for use and hiding any of your files. This makes it easier to detect any malicious programs or new unfamiliar items within the USB especially with people like me who categorizes every file in separate folder (which is a good habit actually, instead of having only a single Files folder, have multiple folders by categories such as Audio-Video, Documents, Programs, and Photos). If any file is not inside the folder it should be, I delete it. Well, hope it helps.

[UPDATE 2]
It seems that the option Traverse folder/execute file does not in any way affect moving from folder to folder via explorer as opposed to what I had previously understood. I recommend denying permissions to this to prevent any executable from running unless you want a particular executable available (i.e. a private portable browser for example, in which case, granting it/them sole execution permission would be a workaround while still preventing execution from any other location within the drive). Any other file including documents, videos, audio files, etc. will run normally.

Thanks for the info. I only had USB infection once before Comodo. I use Bitdefender USB protector now.

Thanks for the guide, I will try it. :-TU

Talking about the Quote above… in that case what do you mean by “it does not prevent an infection”?
Where is the “infected autorun” created? Inside the blocked folder?

the autorun is just used to launch the malware automatically. technically speaking, the virus can still drop the exe inside the usb. but that’s as far as it gets if the proper ntfs security permissions are selected and configured (you need to have a subdirectory for the files. Inside the subdirectory, the permissions must not allow file modification, copying, moving, renaming, attribute changing, etc.l). Therefore, there’s still a risk of the virus being launched by the user himself. Although this hardly happens to me because the way I configured my USB, it can only make one instance of itself in the USB, and cannot modify or copy the files inside. It cannot create the links needed to launch itself either nor can it make itself hidden.

Autorun-based malware usually create the links in the first level, not within folders which means it cannot create the links because file creation is not allowed in the first level. Which means that I can easily find the virus and delete it since it’s the only file I do not recognize.

It cannot modify the autorun.inf file because it doesn’t exist as a file but as a folder, and since there’s already an undeleteable folder named autorun.inf, it cannot create an infected autorun in the USB. No error messages will be produced so there’s no hassle at all.

yeah, but the focus really was to prevent infection of USB’s so that we don’t spread malware through USB’s, not to prevent our personal systems from infection (well, not entirely). BD USB immunizer’s (though I really think “immunizer”'s misleading in every sense of the word) good, too. Though last time I used it, it creates an empty autorun.inf that uses special permissions which threw up alerts in virus scanners then. don’t know if it’s still the same. Folders don’t throw those FP’s.

Yeah I got that. I got the USB from my mate. After that he knows better. I have Windows 7. And auto-runs here under lockdown 8) :P0l

Sorry for the stupid question… but how do I get to my USB drive letter using DOS commands?
If I type "cd O:" (O:\ is my USB) I cannot go there…

PS
Maybe it should be better to put in bold the fact that one must not create that folder in other places other than USB because he cannot delete it anymore 88)

By the way .\con\ is Windows console? Is that why you cannot delete it anymore once created?

I don’t really turn off the autorun.inf features because people here at home rely on it to do things automatically for them (they’re rather old so the technicalities elude them). 88) so instead, i configured for them security permissions to limit the viruses and installed USB Guardian to monitor malicious autoruns. It locks down any file it finds suspicious usu. by parsing the autorun.inf then identifying the suspect files.

This way, they can still use the autorun feature albeit with a few more clicks thrown in. ;D

Thanks for the information and btw the explanation is good too so i’m not confused to understand it

I see. Great idea! ;D :-TU

Hi spainach_12,

1st, thanks for kind words,
… but there is no “bad” on your behalf at all

“USB issue” if I can call it like that was & will be an issue, because of an architectural failure, as many others by MS, as a matter of fact.
Well, thanks Gd (Hallelujah!) that’s not a major problem since in Win 7 … but sill a problem

So, you can include yourself to the list of “and the guys…” ;D, cauze you’ve made a great contribution here in Comodo forum regarding the matter
All of us can tell the same: “Didn’t have enough experience then…"
We are learning if we have a will to learn; We’re entitled to make mistakes (all of us) , but the main point is to encourage less experienced users to think & investigate. And that’s where you are doing a great job - that matters.

Cheers, man! & continue

Hi loverboy,

Can you please pass a bit more info about how you … hhmmm … fired up that “DOS command(s)“, which failed?

Another trick (discussed here, as far as I remember, & posed by me) please set a permanent drive letters to USB devices. That alone will save you from a lot of troubles (related or not related to security issues)
If you need a link, please ask

That is most possibly right … but … basically all external devices can be ‘USB’ … therefore this particular message is not clear.

Well, CON; PRN; AUX; LPT1 – LPT#; COM1 – COM#; etc. & some others are reserved names for devices, since “DOS Ice Age times” (whooooha! scary stuff) left for backward compatibility

… together with ice-aged 8080 processors architectural flaws (OffTopic!)

Cheers all!

The only way to go (in the DOS window) to my USB pen was typing

O:

For the other advice… yes… All my USB pens permanently become O:\ drive when inserted

To sum it all up… in practice we have created an “autorun.inf” folder that is impossible to delete because it is not empty and contains another folder that (once created) is recognized by Windows as a “reserved name for console device” (may we call it a “fake folder”?) … additional reason to make it impossible to delete it with conventional methods.

What I meant regarding the phrase in bold characters, is “Don’t try to do it in drives that you are not willing to reformat to delete that folder because there is no other way to do it”
Yesterday I had to recover a backup of 2 days ago of my C:\ drive (so, no particular problem on my side) once I had created that folder under Documents thinking that I could move to the USB pen (that I couldn’t access until I found that > O:\ command)
There is no way to move “autorun.inf” folder
spainach_12 suggested me to use another DOS command (rd C:\Documents\autorun.inf\con) to delete “con” but was too late so I couldn’t test if it works.

As to not create a duplicate, I simply modified the first post and added a few more details. Please make sure to note the following before trying out the instructions above.

1. Beginning from the 1st update, all instruction thereafter were being written as they are performed (in other words, I was writing it down as I went through the whole process step-by-step). Therefore, it has not been tested if it indeed works over a reboot or in any other system. However, having prev iously done this, all changes should take effect immediately without a reboot and in every other Windows system, from XP until Windows 7. Not tested on Windows 8.

2. I emphasize caution to those who would use the NTFS file format especially those who operate within multiple OS’es. Mac has been reported to be without any official NTFS support. Older Linux variants are also prone to file corruption if the NTFS USB was not “safely” ejected from Windows or unmounted before ejection. File transfers are said to also suffer considerably in Linux.

3. This method does not completely protect from infection. One method of bypassing this is by having the malicious code pretend as a file or piggyback off a file. Though the malware cannot be run within the USB, copying the file and launching it from the host will transfer the malware to the host and infect it. It cannot, however, infect further the USB drive. This may be prevented by denying permission to Create folder/append data in the whole USB drive, but prevents making subfolders. If this is something you could ignore, I recommend denying permission to append data. Make sure to scan the drive before making any transfers.

4. This method has not been (by my standards) satisfactorily tested to be called virtually impregnable. Hence, I make no claim that it can completely prevent infection via USB. As of time of writing, I have yet to find a sample that can successfully infect the USB (which means copying itself on the drive and avoiding detection, both human and antivirus).

Any reaction, contention, information regarding these matters are welcome.

You need to type “O: ” to go to the USB drive first. Your prompt should change to something like “O:>”

Once it has, type “cd \directory name ” to change to the selected directory on the O: drive.

By the way .\con\ is Windows console? Is that why you cannot delete it anymore once created?

Yep - “con” is the hard coded name for the Windows Console device. A old DOS trick but a really good one.

Good work Spainach_12, BTW. :-TU

Cheers,
Ewen