Disabling autorun feature of USB drives

As you are aware, currently one most common medium for virus spreading is USB flash drives. There is a feature in Windows which allows automatically executing a program when removable disc (either USB drive or CD drive) is inserted. (This post will use the terms USB drive, flash drive, USB flash drive interchangeably. All refer to the same term.)

This autorun feature is implemented using a file autorun.inf. Autorun.inf is not a virus. It is a file which defines the autorun task which executes when the removable media is inserted. This file was a method to create automatic installation CDs, such that the software installation will start immediately after the CD is inserted into the CD-rom. For window OS, there is no distinction between a CD drive & USB drive, as far as autorun feature is concerned.

Viruses use this file – autorun.inf – in order to spread via USB flash drives.

A typical autorun.inf file created by a virus may look like follows:

[autorun]
open=path-to-virus-file.exe
explore=path-to-virus-file.exe

By default, when you attach the USB drive, windows will check for this file in the drive. If found, it will check whether there is an entry for “open=” part. If there is any entry, this file will get executed after you attach the USB drive. Hence as per above sample autorun.inf file, the program path-to-virus-file.exe will get executed when it is attached. This way, the virus executes after connecting the USB drive.

Similarly, if you right click on the drive in my computer, you will see options like open, explore etc in popup menu. The corresponding entries in autorun.inf are executed when the respective menu items are clicked. If the entry for some option is missing in autorun.inf, the default action (open / explore e.g.) is taken. Also, when you double click on the drive, the default action is open; thus the command corresponding to ‘open’ in autorun.inf executes.

Now, above paragraph was a bit confusing. In short I would say, whether you double click on the drive, or right click on drive & select open/explore, in any of these cases, the autorun entry in autorun.inf will get executed. If this entry points to a virus file, virus file will get executed. Hence, never double click on drive. Never right click on drive & select open / explore.

Having said all this, how do I access files in the drive, if I cannot open the drive? Well, there is a way for that.
Open windows explorer, (by pressing <Windows button + E> together). After that, in left side pane, you will see the drives & folders in tree like structure. Now click on the desired drive in that pane. This will open the drive in safe way – bypassing autorun.inf. There are even more methods to achieve this, but I found this as simplest & safest method.

So this was about bypassing autorun.inf, while opening the drive. But what about the original feature of autorun? – automatically opening the installation program when the drive was connected…
For this, there are several ways out...

Simplest one is by keep pressing shift key, while attaching the USB drive (or inserting CD), till the drive is fully detected. When new type flash drive is connected for the first time, windows will install specific device driver. (E.g. when connecting sandisk drive for the first time, windows will install sandisc flash drive driver.) You have to keep the shift key pressed till the driver installation is complete & you can see the drive in “my computer”. If connecting external hard disc, containing multiple partitions, keep the shift key pressed, till all the partitions are detected.
Hint: open windows explorer by pressing Win+E, BEFORE connecting the USB drive, so that you can identify the point, when the device is fully detected & thus, when you can safely release shift key.

This method of pressing shift key is simple, but not reliable, because it involves human factor. You might forget to press shift key. Or some friend may connect his USB drive, when he is using your pc, without pressing shift. You might release the shift key before the drive detection is complete, & so on.

Thus there is another way – automatic way – of skipping the autorun feature when the USB drive is connected. This involves disabling autorun by using registry.
For this, copy following text into a text file. Save that file as autorun.reg. Double click on that file & press OK when prompted.

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000FF
"NoDriveAutoRun"=dword: 03FFFFFF
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000FF
"NoDriveAutoRun"=dword: 03FFFFFF

With this, the autorun feature will be disabled, when you connect the drive. So, no need to keep pressing the shift key. However, when the system is freshly installed, in order to make this setting for the first time, I generally copy this .reg file using a USB drive. So for that first time, while connecting, I need to use shift-key-method.

Also note that, this method disables the autorun, only when connecting the USB drive. This registry method or the shift key method will not work, if you double click on the drive. To prevent autorun from that method as well, use the windows explorer -> selecting the drive from tree view method.

With these precautions, the autorun feature of the USB drive is bypassed. & the virus, if any, does not execute when connecting the flash drive. This way, there is no need to virus-scan the flash drive, when connected.

Now, how to remove the virus, if any, from the flash drive?
Open the autorun.inf file, if found. It may be marked as system &/or hidden file. Make sure that you keep the system & hidden files visible (use folder options from the tools menu of windows explorer).
Ideally, you should see the autorun.inf file, only if there is some software installation in the flash drive. In autorun.inf, find the “open=something.exe” entry. If that name looks like some virus name, delete it. & Finally, don't forget to delete the autorun.inf file itself.

Know your friends

So you have decided that you won't install antivirus, or use some low-end antivirus. Now what? What to do when a virus comes to your system? What tools do you use for the virus detection and removal?
Below is a list of free-wares that I use.

1. Process explorer
   It’s a tool developed by sysinternals for Microsoft and is available for free download. This is a kind of better version of task manager. It’s better than task manager in several ways.
   
   • It can show the running processes in tree-like format, thus the process creation hierarchy is shown and you can identify which process initiated which one.
   • It also shows the path of running process. Thus, if there is a fake executable, (say explorer.exe), which is located at some wrong location, (say your profile folder) instead of its correct location (system32 folder in case of explorer.exe), you can detect that the path is wrong. And hence the file can be a fake one, or at least undesirable one.
   • New process creating and destruction can be seen visually, using color indication. Thus it’s easier to keep track of process creation, when you need to diagnose.
   • Provision to suspend / resume any process – when the parent process is suspended and its children are killed, the suspended parent process cannot re-start the child process again and you can easily delete the child process executable.
   • Process handle – many a times we encounter the issue while “safely removing hardware” that some process is using the hardware. Hence windows cannot remove it. Now, question is which process? You can search for the drive letter (say h:\) and can get the list of processes, which are accessing the drive.
   • And finally, the best part of it: it can replace task manager. I.e. when you try to open task manager (say by pressing ctrl+alt+del or ctrl+shift+esc), it will actually open process explorer. Hence, there is hardly any change required in user habits.
   So I would strongly recommend you to stop using task manager and move to process explorer.
2. Command prompt
   Nothing comes as handy as command prompt, when trying to delete any file, when your windows explorer does not allow you to do so easily. Simple basic commands like
   
   • cd
   • dir /a
   • rmdir /s /q
   • type
   • del/erase
   • attrib -s –h
   • title (very stupid command, but helped me in removal of one virus)
   are generally sufficient for our need.
3. msconfig
   Know which processes and services are loaded at your system startup. Remove suspicious processes and services. You may also remove some genuine process, which you don’t want to run at system startup (like winzip quickpick). It will make your system run faster, as less processes are running on your system. Press Win+R and enter msconfig in the dialogue box to open msconfig.
4. Autoruns
   it’s kind of advanced version of msconfig. It’s also developed by sysinternals for Microsoft and can be downloaded from here. It shows many paths, where the system checks for startup programs. Remove suspicious items from the list.
5. Windows explorer / Internet explorer 6 + Shift-delete
   When you find the location where your virus is located, next thing to do is shift+delete (unless, if you want to keep that file as pet for experimentation :P). The virus location can be found out by using tools like process explorer or msconfig or autoruns. Internet explorer 6 can be used to browse your directories, if windows explorer is unable to do so, due to some reason. If you could not delete the virus file for some reason, try deleting using command prompt.
6. Registry editor
   This is one risky thing to work on. If you mess up something in this, there is a possibility that your system will never boot again. Having said this, I will also recommend that one should play with the registry. Safe option is, to enable system restore, create a system restore point and then play with the registry. In registry, you will find many configurations and settings. When you want to remove some viruses manually, it’s good idea to use registry, to disable the execution of virus. The details of how to use registry, will be given in coming posts, wherever required
7. Commands – tasklist, taskkill, reg etc
   Well, it’s easy to use task manager (read: process explorer), registry editor… but what to do if somehow the task manager or registry editor has been disabled by some virus? In these cases, we first need to enable these tools using registry. Sometimes, these tools are not disabled in registry, but the virus detects that you have opened the task manager and then t kills the task manager’s process. How to know the name of virus in such case?
   Here, the command line tools are helpful.
   As you can understand from name, tasklist gives you a list of processes running in your system. And taskkill can be used to end a process. There are several options to these 2 commands. For more details, run “tasklist /?” or “taskkill /?” at the command prompt.
   Similarly, whatever you can do with registry editor, everything can be done with reg command. Run “reg /?” for more details about the reg command.
8. Notepad
   Use notepad to create the registry files, batch files, vbscripts and so on
   I would however, recommend using freeware notepad++ because of the features it provides.
9. Process Monitor
   It can be used to monitor the process creation, exit, thread creation, exit, opening and closing of files by the processes already running in the system. Thus, it’s easier to keep track of what’s happening in your system.
10. tweakui
    Again, a powertool by Microsoft… Google for tweakui for the link.
    This gives you many features and customization options, with a nice GUI. The options like autorun features, etc (explained in next post) can be set using this GUI. Overall, it’s a nice free tool.
11. Firefox + google
    When (almost) everything fails, google comes to our rescue. :-)
    Whatever problem you are facing, try to find some peculiar thing about the virus. This can be the virus exe name (say msmxeng.exe obtained using process explorer or otherwise) or some message string, it pops up (e.g. “I dont hate mozilla but use IE or else”), Search for such specific keywords on internet. Check the sites for some antivirus company, for solution about how to manually remove the virus. These sites may also give details about what harm that particular virus does, so that you can undo that if possible.
12. Linux live CD
    Finally, you have tried everything possible and known, but you could not delete the virus due to some reason. In such cases, Linux comes to rescue your windows. Boot using the Linux live cd. Mount the partition containing the virus. Locate the virus executable file and, peacefully, delete that file. No program will prevent you deleting that file in windows, when you are booting from Linux.
    There are many, many flavors of Linux live cds, which you can use for this. I mostly use ubuntu or knoppix live cd.
13. Other computer, with antivirus
    Disconnect the virus infected hard disk from your system and connect to other system with up-to-date antivirus and scan that hard disk. (Still this means, that you install antivirus on only one windows machine. Other systems don’t need to have the antivirus.) After scanning, you can reconnect to your system.
14. Parted magic
    If for some reason you cannot disconnect it from your system (say, e.g. it’s a laptop hard disk) then copy the infected partition to another external HDD using parted magic. Scan that HDD using antivirus and overwrite that partition from external HDD to internal HDD.

With these handy tools, you will most likely be able to detect, delete most of the viruses.

Popular beliefs vs reality

I have a good antivirus program, hence my computer is safe from any viruses.
As mentioned in an earlier post, all what an antivirus program does is, it checks the file under test with its virus definitions. If all the definitions show negative test with that file, the file is considered to be clean. Hence, if there is any new virus, whose definition is not present in the virus definitions of your antivirus, it will be shown as clean.

I have multiple antivirus programs installed, so I am safer.
Most likely, when an antivirus sees another antivirus running, it stops himself checking for viruses. & The other antivirus also does similar. Eventually, nobody protects your system from virus threat. Both the antiviruses, however, consume your hard disk space, RAM & CPU cycles.

All files flagged by my antivirus program are viruses.
The antivirus is also a software program. You can write a program, which will be fitting the virus's characteristics - autorun entry, creating of autorun.inf in removable drives, copying to system32 folder etc. A classic example was n.vbe file, which was reported by many antiviruses as infection. But, when I actually read the file (yes, it was a text file), I came to know that it was indeed a program to remove certain viruses.

I must have an antivirus program.
As I said earlier, having an antivirus does not imply that your system is protected from all sorts of viruses. & if it is not going to protect you, why do you must have an antivirus program? Just because Windows security center keeps warning you to have antivirus? In reality, with some simple precautions, one can work on Windows system normally, without having to use an antivirus. These precautions will be covered in next posts. Generally it's a good idea to clean your hard disk, once-for-all, by connecting to separate, clean system, with good, up-to-date antivirus running. Then onwards, with these precautions, viruses won't affect your system.

I need a great firewall.
For normal user like us, windows firewall is generally sufficient.

I have never connected to internet. How can a virus enter my system?
A  virus can enter your system from many sources. The most common medium these days is USB flash drives & LAN.

Transferring over LAN / P2P will bring viruses with them.
Generally, yes. But not always. You can copy files over LAN. Just make sure that you don't execute the executable files without scanning.

I have downloaded only from authentic site. How can it have a virus?
My personal experience - My sony ericsson phone's memory card, newly bought, just taken out of the box, had virus. So even if you are downloading something from authentic source (website, friend, computer vendor), be cautious.
Also, which sites do you think are authentic sites? I trust very few sites for that matter. microsoft original website. Sites like sourceforge.net, which provide mainly open source softwares, sites like download.com / softpedia.com, when they explicitely mention that the software is virus free. & known official sites of certain softwares. Beware of fake websites.

I have virus on my system. My files are infected:
A virus is a software program. It's very unlikely that any virus will corrupt your data files. Very rarely the purpose of writing a virus is data corruption. The common purposes are - keylogger/password sniffer, trogens, threatening the user to buy the antivirus, etc.

I have got a virus on my system. At least now, I MUST install antivirus.
No again. As said earlier, an antivirus can not guarantee you that there will be no virus in your system after scanning. A simpler approach would be to remove the virus manually. This also helps to keep your system resources consumption less; since there is still no antivirus.

My flash drive has a virus. If I connect it to my system, it will infect my system also.
A virus is nothing more than a software program. It cannot execute on its own. So, in short, if you prevent it from executing, it will not execute against your wish & if it does not execute, it cannot do any harm to your system. How to prevent it from executing - see later posts.

Autorun.inf is a virus.
Autorun.inf is actually not a virus. Rather, it is a file which defines the autorun task which executes when the removable media is inserted. This file was a method to create automatic installation CDs, such that the software installation will start immediately after the CD is inserted into the CD-rom.
Viruses use this file in order to spread via USB flash drives.
A typical autorun.inf file created by a virus may look like follows:

[autorun]
open=path-to-virus-file.exe
explore=path-to-virus-file.exe

Hint: We can open this file using a text editor, like notepad & see the path where virus is located in your flash drive & then happily delete the virus executable file.

Lastly, a file looks like a genuine windows file. How can it possibly be a virus?
Don't ever believe that just because it looks like a windows file, it is a genuine file. The author of the virus program will try to make sure that you think that the file is genuine windows file.
A file marked as system file (see file attributes) does not necessarily imply that it is system file, required by windows. In fact, most of the files in your system32 folder are not with hidden or system attributes. If you find executable file with hidden / system attribute, in system32 directory, it is quite likely a virus.

Basic definitions

(These are definitions in my words. For more accurate definitions, refer wikipedia.)

Computer virus: It's a software program, not desired to be running in your system. (Contrary to this definition, microsoft products are not counted as Viruses ;) :P).

Computer viruses show similar symptoms as living-viruses (or for that matter, humans too).
1. They hog your system resources.
2. They spread to other systems & infect them also.
3. They can corrupt the data on your system for their purpose - spreading.

There are multiple types of these unwanted programs like
- Virus,
- Spywares (these can upload your personal data on web without your knowledge),
- keylogger (mainly for stealing passwords),
- trojens (they try to steal your information & can allow external user to control your computer),
- etc.
For more correct definitions of these, please refer google / wikipedia.

Antivirus: It's the program that does/tries/claims to remove virus threats from your system. They have definitions of known viruses as their database. These definitions are nothing but some patterns that are commonly seen in these virus files.
Similar to antivirus, there are anti-spywares, which are designed to remove spywares from computer systems.

Firewall: Apart from the virus infection on files on your system, there is another source of threat - the network. Network threats include many types of attacks like IP address forging, DNS response forging, denial of services attack etc. These network related attack are taken care of by the firewall. firewall protects your computer against these network attacks. There are many more related terms, but those may not be required at this stage & will be covered in the individual post, if required.

Disclaimer

I am not any computer expert. These are some of my understandings, as I read on internet, software documentation & my own exploration. I won't take any legal responsibility, if any damage is caused because of use of this information. The purpose of this blog is just knowledge sharing. This information is not universal & may not work in some cases.

Also, I have gathered this information from various sources. I will try to put the references whenever I will remember. But if I missed at some place, original authors, please forgive & comment the link of your post.

Happy reading.

First post

This post is intentionally left blank. (I know, uggach. Great books have it ;) )