Well, if you’ve been at the forums looking for solutions to this problem, you must’ve encountered some of my posts and requests. My bad. Didn’t have enough experience then. You all should listen to SiberLynx and the guys. In this post, we will take a look at some of the misconceptions and methods of disinfection and prevention of infection, particularly on autorun-based malware which is basically the most common problem encountered in universities, internet shops, and even in computer shops (i mean to say those that sell computers and laptops. Bought one already infected. It hasn’t been touched they said. It was just-out-of-the-box they said).
Myth: The autorun.inf is a virus.
Truth: The autorun.inf is a system file used by Windows to automate common tasks involving external media. Technically, this is not a virus nor was it intended to be a threat. What it is, however, is a vulnerability exploited by viruses so that upon attaching a usb, immediately launches the virus, allowing it to infect the host computer.
Prevention: The best method to prevent an infection via autorun.inf is to turn that feature off. Windows 7 does not automatically use the autorun.inf which is good. For those others, you can use the free Panda USB Vaccine. For personal computers, you can simply opt to turn the autorun feature off (Google it). Of course, for university computers, you can go as far as disinfection, but not changing systems. I’ve done these without admin privileges, but i’ve seen some that wouldn’t allow me to do it. The inconsistency is perplexing, so I’m warning you beforehand of the difficulties you might encounter.
DIY: You can remove protect autoruns in both usb and windows manually. This, however, requires the use of the command prompt. To do this, simply:
- Press windows+r. The “Run” dialogue box should appear.
- Input in the field “cmd” without the quotes.
The command prompt should appear (a window with a black background. Kinda like the one you see being used by hackers in movies). - Navigate to the autorun.inf. It is usually found in the primary system drive and the root directory of the USB (to locate it manually, go to Tools > Options > Under the View tab, untick Hide protected system files and then tick Show hidden files and folders > Apply then Ok. Now search for it).
- Now delete the autorun.inf. Type in “attrib -s -h -r autorun.inf” and press enter. The file should now visible. You can skip this step as in most computers, this is not needed. However, it does ensure that the file can and will be deleted.
- Then input “del autorun.inf” without the quotes.
Now to make an undeletable autorun.inf folder (a folder is much harder to delete and find for the virus. This method foils most attempts of deletion, but not all).
- To do this, input “md autorun.inf” without the quotes.
- Now to make this more difficult to remove, input “attrib+s +h +r +a autorun.inf” without the quotes. The folder should now become hidden (because some viruses don’t place anything in hidden folders. Don’t know why. Useless maybe).
Taking this a little further, we can make the autorun.inf virtually impossible to delete without a tool or a complete reformatting of the usb (don’t proceed to do this on a windows. It might cause conflicts. Not all systems are affected but better not risk it if you’re not yet familiar with repairing systems).
4. Navigate within the folder by typing “cd autorun.inf” without the quotes.
5. This time, make another directory. Input “md .\con\” without the quotes. The folder which will be created cannot be deleted by conventional methods. Using tools to unlock the file including Collomb’s famous unlocker results in a BSOD as tested 01:10:51 AM, 09/21/11. Now viruses cannot auto-launch to infect a host pc. It does NOT, however, prevent infection. It simply prevents the virus from launching itself.
Example:
Microsoft Windows [Version 6.1.7601]
Copyright 2009 Microsoft Corporation. All rights reserved.
C:\Users\Palbie>E:
E:>del autorun.inf → deletes the autorun.inf
E:>md autorun.inf → creates a folder named autorun.inf
E:>attrib +s +h +r +a autorun.inf → makes the folder attributes system, hidden, read-only, archive
E:>cd autorun.inf → change directory
E:\autorun.inf>md .\con\ → .\con\ is a windows system folder. It cannot be deleted conventionally.
E:\autorun.inf>exit → exits command prompt. Input “help” without quotes for a list of commands.
Disinfecting:
The easiest would be to plug the usb to a linux os and then delete the suspect file. Or you can
- go to command prompt.
- Now input “attrib -s -h -r -a .” without the quotes (. means any file name with any extension. In other words, all files and folders).
- Then “del virusname.extension autorun.inf”.
If the host is already infected, it will be a bit more difficult.
- Find the suspect file. This should be the priority so you could easily delete all instances. Autoruns, startup lists, and MSConfig can help you. Don’t delete anything. Just find out where they are. Usually there are three copies of the file. In the users folder, in the main drive, and in other drives present.
- Reboot in safe mode and repeat the process above (command prompt to deleting). To be on the safe side, run ccleaner and clean previous system restore images.
Or if safe mode is unavailable,
- go to command prompt.
- Input “tasklist” and identify the virus image name.
- Now input “taskkill /f /t imagename” to forcefully kill the virus from the process and all other processes launched by the virus.
- Now you can proceed to cleaning/deleting the virus.
In other cases, the steps are less complicated. Simply go to Tools > Options > View tab, untick Hide extensions for known file types, then apply. Now remove the extensions of the virus(es) and replace it with something like *.quarantine or *.p4l8!3. Reboot. Locate the renamed files then delete. Reboot again then use a registry cleaner and an antivirus scanner to remove leftovers.
A variant would be using the NTFS file format. However, I’ve had experience and reports from other people that Mac and some Linux variants have difficulty reading the format if not altogether failing at it. If you would like, loverboy posted a helpful link which would be friendlier than this:
[UPDATE 04/06/2013]
Well, since a friend of mine traded her USB for my USB which was secured through NTFS, I had to make another one. While the link provided by loverboy does provide the essential and rather basic permissions needed, I soon found out (the hard way) that it does not completely protect from more recent and rather prevalent and annoying worms. Either that, or you forego writing files (and thus, any capacity of copying from other computers). Also, if in the rare case that your pc becomes infected, the USB is completely exposed having been granted full access in the host. Paranoid as I am, that I cannot ignore (especially considering that this PC is not exclusively mine). So I’ll share some of the permissions I use.
To begin with, familiarize yourself with the NTFS permissions.
- Now then, after going through the trouble of immunizing your USB by placing an undeletable autorun.inf folder, create a folder and name it however you like. For matters of convenience and personal preference, I named it simply “Files”.
- Right-click on the Autorun.inf folder you created earlier. Make it “Hidden”. Then select Properties and switch to the Security tab.
- Under security, delete all Group or user names except “Everyone” by clicking Edit and then Remove.
- Click OK, then Advanced.
- Click Change Permissions from the resulting dialog box, and then Edit.
- From the resulting box, change the Apply to option to “This folder and files”, then deny everything except “Read Attributes”.
- Select the folder “Files”. Go to the Security tab in the Properties.
- Repeat steps 3-5
- This time, change the Apply to option to “Subfolder and files”, then deny the ff:
a. Write attributes
b. Write extended attributes
c. Traverse folder/execute
d. Take ownership
e. Change permissions - Allow, on the other hand:
a. Traverse folder/execute file
b. List folder/read data
c. Read attributes
d. Read extended attributes
e. Create files/write data
f. Create folders/append data
g. Delete subfolders and files
h. Read permissions - Deselect the folder and right click anywhere outside of it. Select Properties and switch to the Security tab.
- Under security, delete all Group or user names except “Everyone” by clicking Edit and then Remove.
- Click OK, then Advanced.
- Click Change Permissions from the resulting dialog box, and then Edit.
- From the resulting box, change the Apply to option to “This folder and files”, then deny the ff:
a. Traverse folder/execute file
b. Read extended attributes
c. Create files/write data
d. Create folders/append data
e. Write attributes
f. Delete subfolders and files
g. Delete
h. Change permissions
i. Take ownership
while allowing everything else, and then tick the option “Apply these permissions to objects…” - Click Apply then OK.
Test out this config. It should prevent you from:
- Creating any file/folder outside the “Files” folder,
- Deleting the Files folder,
- Viewing the contents, making any modifications and deleting the autorun.inf folder and everything inside it,
- Changing the attributes of either Files or Autorun.inf folder and everything inside it.
and allows you to:
- Create files and folders within the “Files” folder,
- View, read and execute the contents of the “Files” folder,
- Delete files and folders within the “Files” folder,
As all immunization, it does not completely safeguard you from infection, but prevents it by not allowing any worm or malware for that matter to set an autorun.inf file for use and hiding any of your files. This makes it easier to detect any malicious programs or new unfamiliar items within the USB especially with people like me who categorizes every file in separate folder (which is a good habit actually, instead of having only a single Files folder, have multiple folders by categories such as Audio-Video, Documents, Programs, and Photos). If any file is not inside the folder it should be, I delete it. Well, hope it helps.
[UPDATE 2]
It seems that the option Traverse folder/execute file does not in any way affect moving from folder to folder via explorer as opposed to what I had previously understood. I recommend denying permissions to this to prevent any executable from running unless you want a particular executable available (i.e. a private portable browser for example, in which case, granting it/them sole execution permission would be a workaround while still preventing execution from any other location within the drive). Any other file including documents, videos, audio files, etc. will run normally.