Prevent Autorun Virus - Fighting Autorun Viruses



Autorun.inf, a feature introduced in Microsoft Windows Operating System family to help even the most unexperienced users to run and install softwares and System Device Drivers. A feature so infamous, criticized and so severe that Experts estimated that 1 outof every 10 viruses would be compulsorily an Autorun Virus. The was Feature so infamous that people believed the presence of Autorun.inf to be the presence of malwares and possible signs of infections. Antiviruses today report a suspicious object / infected object if they find an Autorun.inf file on the Computer on any directory and / or drive other than the CDVD Roms.
From simple Script Viruses like: Rahul’sVirusProtection, SemiAntivirus and the family of VBS.Autorun.Gen and other infection agents to the super-viruses like Conficker and Stuxnet.A, all (mis)used Autorun.inf in their quest of infecting the computers of innocent people.  

I won’t claim that after reading this you won’t at all get infected by any Autorun Virus and I won’t claim that you will be able to cure an already infected PC. What I guarantee is that the next time you insert your Removable Device in your Computer, you will open it with a knowledge which will save you from a possible infection.

What makes the Autorun Virus work ?

VIRUSES DON’T RUN BY MAGIC. A COMMON MISCONCEPTION IS THAT VIRUSES RUN AUTOMATICALLY, WHICH IS OFCOURSE NOT TRUE. VIRUSES USE EXPLOITS, AND OTHER TECHNIQUES LIKE FILE INFECTION AND COUNTLESS OTHER TRICKS IN THE BOOK TO RUN THEMSELVES THE TRICKS WHICH ARE HARDCODED BY THE VIRUS-AUTHORS IN THEIR CREATIONS. VIRUSES ARE PROGRAMS DESIGNED TO WORK ACCORDING TO SITUATIONS THEY MIGHT AND OR DO ENCOUNTER AND MAKE LOGICAL DECISIONS ACCORDINGLY. THEY RUN WHEN SYSTEM STARTS BY MAKING MALICIOUS CHANGES TO THE DEFAULT SYSTEM CONFIGURATION. WELL THIS IS ALL FOR THIS PARA AS I WOULD LITERALLY HAVE TO EXPLAIN THE WHOLE PROGRAMMING CONCEPT IF I HAD / HAVE TO GO ANY FURTHER.

Look at the picture above, the picture belongs to an Autorun.inf file from an Infection Agent. As you can see, the file has a sentence after the word Action= the Command instructs the Computer to show a menu in the Autorun Popup. This is what they call a Social Engineering. Actaully, the term Open folder to view files is a hard-coded menu sentence in the Microsoft Windows OS Family which supports Autorun.inf feature. Now, with a fake one introduced by the Virus, the User is more likely to use the fake one as it is the one which usually ends up within the User View point. This is made more clear by the picture.
As you can see, there is a path after ShellExecute= which is the path of the Virus. The string .\ means that it is to start from the Current running folder – which of course is the Drive’s Root Directory as Autorun.inf lies on the Root Folder of the Drive. The RECYCLER is the name of the folder where the Virus resides. The term ~JHYMADHU is a random directory created by the Virus to hide in. The last word is ofcourse the name of the Virus. So the Virus, which the Operating System assumes is a Setup File needed for the installation of some software and / or Device Driver (which it is ofcourse not), is run when the User doubleclicks the Drive. To make everything seem normal, some variants of Viruses also open the Drive’s root folder in a new window, thus preventing the User from thinking that something is wrong.

Next is the icon=, which is given with the path to User32.dll in the System folder to determine the icon of the Removable Device.
Next one is a really interesting one. The term Shell\SOMETHING\Command= makes a fake Right_Click Explorer menu (Shell Menu). As you can see in the Picture provided above, there is a term Shell\Open\Command=, and you’ve guessed it, you will have a fake Open menu when you right click your Removable Device. The same goes for the other two similar terms. The Format... and Explorer is used by the Script worm called Rahul’sVirusProtection (a VBScript Virus).  The reason I’m focusing on this very Virus name is that it’s variants have made it around the Globe all through the (mis)use of Removable Devices. 

So, you may not be 100% safe the next time you click the Format Button.
Experts have estimated a huge fall of 1.2 million reduction in the number of infection agents and infections with introduction of Windows 7. So, you’re really safe from Autorun Virus when you are using Windows 7 OS. The point worth noting is that Windows 7 has no support for Autorun.inf in Drives other than the CDVD Roms. But, for the Pre-Windows 7 Releases, the risk persists and works even for Fixed Drives (HardDisk Drives).

How to avoid getting infected ?

I know there are hundreds and thousands of Websites suggesting you the same poor suggestion of disabling the Autorun.inf from RegEdit and blah..blah..blah. Well believe me this might not be the perfect solution. The reason I explained the inner workings of the Autorun.inf and it’s role in the Computer infection in What makes the Autorun Virus work ? section is due to the fact that knowing the disease lets you develop a cure to fight the same. So, how do you avoid getting infected from an Autorun Virus ?

When you enter the Drive, enter it by typing the path on the Windows Explorer Title Bar. By doing this, you will bypass any possible infection agent which would be otherwise infecting your computer.

Before you double-click the Drive, keep in mind the following things:
  1. If you’re using Windows XP, check to see if there are two Autorun options in the Right Click menu. If there are 2 Autorun options, then there is a very high chance that your Device is infected.
  2. Check to see if there are two options with same name on the RIGHT_C LICK menu.
  3. Check to see if there are two Open folder to view files on the popup menu.
  4. Don’t double-click the Drive if the icon is different than normal.
Icon changed

Social Engineering Trick
90% of the time, the Virus and the Autorun.inf file are not the same. But, your antivirus usually detects only the Autorun.inf file, this is not uncommon. Antiviruses check for the occurence of certain strings in the Autorun.inf file, if they find one, they report it. And, if the Infection Agent is not a File Infector, you usually get the Scan report with a single Object detected malicious. While this is not the case for the Viruses which infect Executables. But, if the Antivirus detects a single file to be the virus, the chances are that the real infection agent is still present in your Device.

Please note that: Autorun.inf also has a command called UseAutoplay=. The Value if is set to 1 will under XP, run the Virus straightaway without your interaction immediately after inserting the Device. This is not the case for Windows Vista OS.
Taking the above precautions will help you from being infected.


Panda USBVaccine
Use Panda USB Vaccine.


Learn the inner workings of the Virus, understand it's logic and the flow of control. Learn how you can make your own Autorun Virus.

Found this post useful ? If so, Click +1 and RECOMMEND THIS SITE ON GOOGLE

No comments:

Post a Comment