OK, this doesn’t actually foil Conficker, but it does block one of the attack vectors and prevents many other threats from automatically infecting your computer too,
It is the longest standing un-patched Microsoft vulnerability and Microsoft calls it a “feature”. The idea of autorun is to attempt to make it so that a person can use a computer with a minimal amount of knowledge. The way autorun works is that when you use removable media, such as a USB key, a CD, etc., Windows will automatically look for a file called “autorun.inf” and if it is there then Windows will do what the file says to do. The idea was that a user doesn’t have to know how to double click on setup.exe, they just put a CD or USB key in and the program runs itself. The problem is that the bad guys know that and often use autorun to install malicious software as soon as a USB drive is plugged in. Conficker exploits this as well
In 2008 more than 1 out of every 15 threats we detected were using autorun.inf to help infect users. In January, nearly 1 out of every 10 threats we detected at ESET used autorun. Microsoft does not provide a truly effective solution for disabling autorun and the partial solution they suggest is cumbersome. My friend, Michael Horowitz, who blogs at http://blogs.computerworld.com/horowitz, recently shared a real solution with me. You can read more about it on his blog from January 30th (http://blogs.computerworld.com/the_best_way_to_disable_autorun_to_be_protected_from_infected_usb_flash_drives). The fix works with XP and Vista.
Here’s where it gets a little bit techie. The fix involves creating a registry key. Michael provides a link to a program to do this on his blog, but I’ll tell you how to create the file here.
You need to use something like notepad, or if you use Word, then you must save the file as a plain text file, not a document. The file extension must be .reg. alternately, you can create the registry key by hand if you are so inclined.
Here are the contents of the registry file. You can copy and paste everything between the dashed lines into your file. You might name it, noautorun.reg, but the name isn’t as important as the final extension.
Please note, the second line wraps, but it is really a single line.
——————————————————————————————
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
——————————————————————————————
When you create and then run the registry file it create a key called Autorun.inf in HKLM/Software/Microsoft/Windows Nt/Currentversion/IniFileMapping . The value of the key is @=@SYS:DoesNotExist.
For extra security you can go to the new autorun.inf key and set some special permissions. I go into the special permissions, add “everyone” and then deny all access except to read and query the key. This should prevent malicious software from changing the value of the key in almost all cases.
The Microsoft solution is ineffective and breaks Windows Media Player. When you use Microsoft’s solution, each time you change a CD for Media player you have to close and re-open Windows Media player for it to recognize the new disk. With the solution I am suggesting Windows media player still recognizes when you change a disc.
Giving credit where it is due, a guy named Emin Atac came up with this approach. There are few known side effects of this approach and none are as bad as the side effects of allowing auto-infect, er… autorun.
To undo the modification you can manually delete the key that was created, or use the same reg file, but place a minus sign in front of the second line… right before [HKEY….
If you have questions about this or any general security topics, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
March 25th, 2009 at 3:03 pm
Small typo in the first line..
“[..it does block one IF the attack vectors and prevents many..]”
Should read: one OF the
I’m being picky. Ignore me.
March 25th, 2009 at 3:15 pm
We just got something from “DHL” and it contained a file called DHL_HELP, that appparently DHL says has a virus, I looked on the server that was hosting the customer and it had a file called DHL_HELP.exe file running, I couldnt find any info on this which makes me think its brand new, have you guys heard of this? I was thinking it might be related to Conficker
March 25th, 2009 at 3:41 pm
It’s not actually Conficker, but it’s a known Trojan Downloader. Thanks for letting us know.
March 25th, 2009 at 3:51 pm
Thank you, Mr. Mouse.
Fixed.
March 26th, 2009 at 2:11 am
Dear Mr. Abrams,
“[Please note, the second line wraps, but it is really a single line.
——————————————————————————————
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@=”@SYS:DoesNotExist”
——————————————————————————————]”
Do you mean that @=”@SYS:DoesNotExist” must be typed right after ‘Autorun.inf]’ without a space.
Please kindly instruct. Thanks.
March 26th, 2009 at 2:55 am
Dear Mr. Abrams,
I found the answer from the site you mentioned:
(http://blogs.computerworld.com/the_best_way_to_disable_autorun_to_be_protected_from_infected_usb_flash_drives)
“Note that there are three lines in the file, the middle line may wrap when displayed by a web browser, but it needs to be a single line in the .reg file.”
Thank you.
April 2nd, 2009 at 5:44 am
“When you create and then run the registry file it create a key called Autorun.inf in HKLM/Software/Microsoft/Windows Nt/Currentversion/IniFileMapping . The value of the key is @=@SYS:DoesNotExist. ”
Actually, the value of the key is @SYS:DoesNotExist, isnt it?
April 5th, 2009 at 1:48 am
Rather than asking people to make complicated registry changes themselves, why not just use Panda Security’s “vaccination” program that supposedly disables autorun? [Edited]
DOES THIS WORK? AND DOESN’T IT DO THE SAME THING AS YOUR ADVICE, EXCEPT A LOT EASIER?
April 6th, 2009 at 3:42 am
Panda’s vaccine sounds like a good idea for some people, and if you’re going to automate autorun disabling, it’s safer to go with a utility from a reputable antimalware company than with the first link you pick up off a google search, which may or may not be innocent/genuine/useful.
I’m not going to link to this tool, because I haven’t tested it or looked at it in detail (when I upgrade to a 28 hour day, I may have time to do that…), and there are actually quite a few utilities that claim to do this. There also seems to be some confusion as to how permanent the process is in some scenarios, and sometimes you -may- need to turn Autorun back on temporarily.
August 27th, 2009 at 3:59 pm
In response to the post:
We just got something from “DHL” and it contained a file called DHL_HELP, that appparently DHL says has a virus, I looked on the server that was hosting the customer and it had a file called DHL_HELP.exe file running, I couldnt find any info on this which makes me think its brand new, have you guys heard of this? I was thinking it might be related to Conficker….
Have you seen this issue come up since, or was it only a one-time email from “DHL”. I just ask, because we recently got something very similar.
August 28th, 2009 at 1:00 pm
A similar comment was posted quite a while back. This is a long running scam. The bad guys are always changing the malware associated with it though. The email did not come from DHL.
October 6th, 2009 at 4:35 am
I’m a little confused. I run ESet on this machine and I just plugged it in. ESet started popping an alert window telling me I had an autorun virus. This autorun file, according to ESet, tried to access the explorer.exe and one other file…I want to say it was SVCHost but don’t quote me on that. Anyway, i tried to open the file in notepad and then in a hex editor (that’s right, I read hex) and couldn’t. My asusmption is that I had a virus but am also thinking that ESet is actively trying to overprotect me. I am not sure which. Please let me know which it is or direct me to the forum where I can find out? And also, how may I check and see what other sorts of things ESet has in store for my future? Perhaps they’d like to let me know how many kids I’m going to have, or where I will be working next year, or what kind of car I should buy? Or where I should shop?
October 6th, 2009 at 4:36 am
SOrry, meant to say “I just plugged a USB drive in.” Not just “it.” I’m only halfway into my second cup of coffee…