Sunday, May 06, 2007

Autorun.inf Worm infecting removable USB drives

Few days ago, i met an unknown friend whose pen drive got infected with a strange virus/worm. I didn't know at that moment what was the problem. I gave all possible solutions to him but it seemed he tried them all. Now, it's the recent threat and circulating around the world.

This Autorun.inf worm is technically called w32/SillyFD-AA which installs itself onto systems and also puts a message in Internet Explorer reading 'Hacked by 1BYTE'. It also installs an autorun.inf on any removable drives, such as USB sticks or floppy discs.This worm gets automatically installed on new computer where the infected drive is inserted. The effect of this worm can be seen at Internet Explorer's title bar and annoyance is we can't perform regular file/folder actions so easily.
Besides, the way it gets transferred is as same as we did experienced with the virus getting transferred from floppy diskettes. At least floppy disks would allow us to write protect but in USB drive's case? we don't have an option and so it's the most vulnerable storage media for transferring worms.

Solution and best method to be safe is to disable the autorun feature in Windows XP or any other OSes. Then delete the Autorun.inf from the removable drive's root folder.

And Sophos antivirus claims it can remove this worm successfully. To download the trial edition, check this link http://www.sophos.co.uk/products/es/endpoint/sav.html

18 comments:

Speed said...

The virus is also deleted by aviraa anti virus . I also got the virus from my college pc but it did not cause much trouble because i had avirra installed in my machine.

Navin said...

eyah, it's not harmful but it's annoying..

:)

Ashish said...

Mero college ko almost sab computer ma yo virus cha.

Navin said...

oh ho.. Autorun.inf virus/worm is capable of triggering lot more dangerous executables..

it's not yet implemented but soon it could happen and if that happens, the other inviting PC will be seriously hampered. Right now, it's just regarded as annoying worm obstructing normal file operations.

the best bet is to use Autorun disabled.

Ashish said...

And how do we disable autorun?

Navin said...

Ashish, sorry for not including how to disable Autorun before.
Here is the step(for XP).

1. Start ---> run --> type "gpedit.msc" without the quotes and enter.

2. we'll be seeing Group Policy Console. There,under Local Computer Policy, there are a)Computer Configuration and b)User Configuration.

3. Since we are to tweak Computer configuration, under Computer Configuration-->Select "Administrative Templates"-->Select "System"--->Turn off Autoplay.

4. Double click that "Turn off Autoplay" option and select "disabled" on next screen.

(This will disable all kind of autorun)
To disable only CD/DVD autorun, from the mycomputer screen, right click the CD/DVD drive and from the Autoplay Tab, select the option called " TAKE no action" or something like that.. but you can figure that out yourself. it's very easy for CD/DVD..

Speed said...

ashish bro you could also download aviraa personal edition and it will block the worm from getting in your pc

Sulav said...

i had not seen this post until now. ppl i am sorry but i have to admit that the theory part is wrong. I mean the way you say this worm gets in one's computer i don't think so. Just putting the pen drive in the port does not reproduce the worm!!!!. May be i will post something regarding this thing.

dOwN bUt nOT oUt said...

script type worms are so in these days .I am preparing a article about protecting( prevention not the cure) computer from infection caused by the viruses residing in pendrive. Totally based upon my experence for the next issue of yubamanch. lets see how it goes.

Navin said...

Sulav, only if the computer is set to Autorun things that's plugged into it else it's safe for sometime unless the file(executable) on Pen drive is executed.
So, just plugging in Pen drive did create chaos on host PC.

I've found a tool to remove this sort of virus. It's here http://www.meroguff.com/2007/07/perlovga-removal-tool.html
If interested you can try this tool and can include in your next article too.

Sulav said...

i have not yet seen a pen drive auto running like the cd/dvd's. so I don't think it is the default action.only if you have set it to autorun
they prompt first hoina ra??. Timro sidhai khulcha??!! nasodhi???

Navin said...

They do autorun like CD/DVD unless something AutoRun.inf
in Pendrive with following contents in it, is missing
[autorun]
open=something.exe
icon=something.ico

Some old pendrives weren't smart enough and they don't support
this autorun feature, but with the BIOS(motherboard) supporting USB-ZIP bootable,
USB drives(which we call pen drive,thumb drive) definitely can
autorun and can be bootable at the same time. Thats why we don't
need Floppy drives anymore, because either we do it using CD or
USB pen drives

If our system is set to sense Auto-insertion(plug/play or Autoplay), it'll
try to look up the file AutoRun.inf, if it doesn't find that file, it'll throw up
some options where we can select the choices to run that CD BUT if
it finds AutoRun.inf file and find some necessary programs set in the file,
it'll without asking us run the file. Look at the above Autorun.inf content,
something.exe will be run as soon as pen drive/CD is inserted.

My pendrive is old model and it's just 32 mb and it doesn't support
AutoRun things but with the help of software called PenDrive Autorun,
(http://www.microtoolz.com/mainframe/products/PDA_Trial.zip) it's possible.
I've seen/used some Kingston drives which has their own tiny OS in it, which autorun it's own portable applications as soon as we insert it in USB plug. And there is a feature in Windows VISTA, which let us use USB drive as extra alternative PHYSICAL RAM module albeit USB drive must be supported by the VISTA that means it must have that ultra-fast speed to be used as RAM module in VISTA.
Normal USB drive can't do that at all. If you can't run your USB pen drive as Autorun feature, it must be pretty old and file transfer is not good either.

You can find some USB pendrive in the market with the biometric security feature, that has finger-print recognition pad on it's surface and only the owner of the pendrive will be able to unlock the content of the drive. I've not used this type of drive but waiting
to experience whenever i get chance.

to get simple idea on Autorun.inf
http://www.microtoolz.com/mainframe/support/support.htm

Sulav, keep reading. If you've anything, lets discuss. Let us share the things we know.

One more thing, people are taking USB pendrive as portable computer because of the portable applications it can take or because of the Linux OS(or someother OS) can exist in it. Simply take Pendrive with loaded OS, plug it somewhere, boot off it and start working on our own tiny PC. Portable PC, yeah?>>

NOTE: i've recently experienced that my blog is not rendering correctly in Firefox, because some of the links in my post are shown missing. Please use Internet Explorer to read contents correctly.

Sulav said...

i use opera he he he. firefox chalayo bhane slow huncha. inefficient memory management.

Navin said...

oh ho.. have you tried using about:config in firefox bar?? it lets us tweak so many things. i've tampered with that about:config in firefox address bar and i discovered to many things.

Sulav said...

oh thanks dude i did not know that.
any particular tweaks u want to suggest??

pt_guy said...

people is like this, the autorun.inf is in many formats, in my pc the autorun put it rebooting himself, it gave an error and then reboot all the time. it was hard to clean, because i had to restore the system and then clean step by step, only desabeling ocult file from system i discover it but i know that i will see it again. even in my pen i clean it and it keeps coming and i keep deleting the stupid worm.

Shiva Bhusal said...

latest antivirus i hav used is NavyAtivirus[USB security system…it protected my computer from usb viruses like blastclnn svchhsot.exe recyler…..etc an soo on..ir protects your compter from autorun.inf and can repair your computer also
click
http://shivabhusal.freevar.com/navyav.zip

Shiva Bhusal said...

latest antivirus i hav used is NavyAtivirus[USB security system…it protected my computer from usb viruses like blastclnn svchhsot.exe recyler…..etc an soo on..ir protects your compter from autorun.inf and can repair your computer also
click
http://www.shivabhusal.com/navyav.exe

homepage: http://navyantivirus.shivabhusal.com

Copyright © 2014
Designed by Navin