Disable Windows auto-run for USB/Flash drives and stop trojans

spacemuis

Well-Known Member
Joined
Feb 26, 2006
Messages
270
Hi,
After battling a nasty trojan infection on an external drive that was shared between three laptops, I can recommend that you all consider disabling Windows' auto-run feature on external hard drives and USB flash drives.

Wow! What a hassle - we relied on AVG's free antivirus which I now believe is worth what you pay for it, i.e. nothing. Have since switched to Avast, with much better results.
As soon as I cleaned one computer, another one would reinfect the drive, and then the other computers...eventually the Master Boot Record on the drive got so corrupted that it became invisible to all computers, and had to be inserted into an internal drive slot before the MBR could be repaired. This in itself was a hassle since we all have laptops and only one ancient desktop pc which didn't have the requisite SATA drive controller. Eish.

So there appears to be a pernicious strain of Trojans that replicate via external drives, modifying their MBR's so that as soon as you plug the drive into a USB port, the infectious vector in the MBR executes and your PC gets infected - and subsequently infects all external drives and Flash drives that get attached!

I have now implemented the instructions below on all our Windoze computers, and feel much safer now. I've always been annoyed by the autorun feature anyway - when I plug in a drive with all sorts of mixed media on it (movies, music, backups, installs, etc etc) then when would I ever want Windows to launch into playing it all whenever I attach the drive? Never, that's when.

Instructions for Win XP Pro - if you have Home, then follow the instructions on this page from Step 9 onwards.

1. Click Start and then click Run
2. Type gpedit.msc and click OK
3. The Group Policy window will open. In the left pane, double-click Administrative Templates
4. In the right pane, double-click System
5. Scroll down the list and double-click Turn Off Autoplay
6. In the Turn Off Autoplay Properties window, select Enabled. From the dropdown next to Turn Off Autoplay on, select All drives and then click OK
7. Exit Group Policy by selecting File, then choosing Exitfrom the menu.

Hope this helps!
 

The_Unbeliever

Honorary Master
Joined
Apr 19, 2005
Messages
103,197
When you cleaned the computers, did you disconnected it from the network?

And did you checked out the other two computers before reconnecting the cleaned computer?
 

Asha'man X

Expert Member
Joined
Aug 31, 2006
Messages
1,395
Hi there

We've started to have this problem at work as well, plus it's infected my home computer and a staff member's personal computer I fixed up.

It seems that while the darn thing is still in system memory, it will keep infecting external drives, even if you delete the file. I tested it using my dad's flash drive. Luckily I could make it read only, so that everntually helped.

Also, Avast picked it up and got rid of it, but couldn't seem to clear it out of ram. This new breed of nasties makes me shiver to think of what's going to happen before much longer.
 

spacemuis

Well-Known Member
Joined
Feb 26, 2006
Messages
270
What is this particular trojan called?

Sorry, I don't know anymore. When I uninstalled AVG I asked it to clear its virus vault also. I was only too happy to see the back of this trojan to think of collecting trophies ;)

One of the clear signs of infection on the ext drive was that it created AUTORUN.INF in the root, and a hidden system folder called RECYCLER within which it created something like info.exe (not 100% sure of this name now).
It also infected svchost.exe in Windows/System32 of the host which is pretty core to Windows' operation...
 

Asha'man X

Expert Member
Joined
Aug 31, 2006
Messages
1,395
I sorted out that very problem with my home pc on Saturday, the autorun and recycler combination. Watching how it kept returning from the dead on the flash drive was kind of fun in a really perverse way. I was thinking about getting the garlic and silver stakes :p

Seriously though, I'm picking this up more and more at work. Worse part is that no matter how good I get things down here at work, it just takes somebody to bring a flash drive from home that got infected there...

I installed Avast, Comodo Firewall and Spybot on the school principal's machine, anf hopefully his kids don't re-infect the system when they use their flash disks that they bring from UCT or wherever.

My best friend tells me that this catergory of buggers are doing the rounds on the UCT networks. They just can't get rid of it :(
 

Random717

Expert Member
Joined
May 30, 2006
Messages
2,120
I've disabled autorun on all my lab systems with antivirus; those too slow for antivirus had the usb drivers deleted :D
 

spacemuis

Well-Known Member
Joined
Feb 26, 2006
Messages
270
If you administer a network with Active Directory you should set up the Group Policy to disable Autorun on all clients (using the settings in my first post) - and prevent clients from re-enabling this option!
Of course this won't cure the infection, but it will at least inoculate against reinfection.
 

Glordit

Expert Member
Joined
May 3, 2007
Messages
2,333
lol, what do you people do to get infected with Trojans/Viruses & Adware all the time? :D
 
P

Picard

Guest
lol, what do you people do to get infected with Trojans/Viruses & Adware all the time? :D

Staff members share a number of computers at school and everyone has USB drives. Their kids (students at university/tech) infect the computers at home and my collegues bring it to school.
 

Asha'man X

Expert Member
Joined
Aug 31, 2006
Messages
1,395
If you administer a network with Active Directory you should set up the Group Policy to disable Autorun on all clients (using the settings in my first post) - and prevent clients from re-enabling this option!
Of course this won't cure the infection, but it will at least inoculate against reinfection.

I'm not hundred percent sure it will prevent re-infection, as if you double click the drive in My Computer, autorun will get run. I think that if you explore the drive it won't infect right away.

I'm seriously considering doing this, as very few people use cd's, which is where I actually want to leave autorun on. I think in Windows Server 2008 you can be more granular in chosing which types of drive to kill autorun on, but on our Windows 2003 based system I'm not sure it's easily achieved.

Thank heavens most of my users are running as standard users or at best Power User. In it's own way this has helped prevent further spread of this plague.
 

ubercal

Expert Member
Joined
Dec 5, 2005
Messages
2,796
As mentioned the best to ways is ..

1. use Group Policy
2. Run a proggie called "Flash Disinfector on your PC.it creates a autorun.inf folder on your memory.This will prevent your memory from getting infected by already infected machines
 

HavocXphere

Honorary Master
Joined
Oct 19, 2007
Messages
33,156
On ntfs drives, just create an autorun.inf, remove all file permissions from it and be cool.:cool:
 

ubercal

Expert Member
Joined
Dec 5, 2005
Messages
2,796
On ntfs drives, just create an autorun.inf, remove all file permissions from it and be cool.:cool:

true that also works , but by using Flash disinfector it scans and cleans viruses before it creates the autorun.inf folder.
 

Asha'man X

Expert Member
Joined
Aug 31, 2006
Messages
1,395
I'm starting to wonder if killing autorun will slow this down even.

As far as I can tell, there appear to be variants of these Trojans doing the rounds. Some will just copy themselves over, and do little else, and are easy to remove, others get downright nasty, and attempt to add themselves to the registry.

Earlier today I had one of the more nasty types infect a pc, but thanks to SpyBot, it stoppped it from writing to the registry and possibly causing a long term infection.

Good old Symantec found nothing on the drive of course. The sooner our school gets NOD32, the better.

I found that the thing created an extra folder in the RECYCLER folder, and placed a file called sys32.exe in there. I've set it to be deleted using Hijack This on the next reboot of the system.

This bloody problem is causing all sorts of miseries amongst the staff, yet unless they sort out their home computers first, there's only so much I can do, with limited tools or budget.
 

daveza

Honorary Master
Joined
Apr 5, 2004
Messages
43,500
As far as I know, this is the Perlovga ' virus' - but there are quite likely variants by now.
 

Asha'man X

Expert Member
Joined
Aug 31, 2006
Messages
1,395
@ daveza

Yeah, I think it's a variant of it. Symantec doesn't even blink an eye when you scan it, nor can I delete it while the system is running.

Just had another confirmation that UCT's network is struggling with these same issues as well.

Amazing how the darn stuff replicate, and the path they travel. Flash drives make it so darn easy.
 
Top