Stopping Autorun Viruses

[dargueta]

I was at work one day when a coworker came to me, saying that they were unable to access their hard drive through My Computer. Double-clicking on the C: icon popped up a mysterious message box:

ERROR: File not found: C:\MS32DLL.dll.vbs.

* This was over a year ago, so the actual error message might've been slightly different. I'm just writing it from memory.

Now this looked really suspicious for multiple reasons:
1) Windows by default hides extensions to known file types. This means that the file would normally show up as MS32DLL.dll, which would appear to be a legitimate file.
2) The .vbs extension is for VBScript files. What is a VBScript file doing in the root of the hard drive?
3) Why is Explorer trying to execute it when the drive is opened?

I right-clicked on the C: drive, and clicked "Explore". Sure enough, after enabling showing hidden and operating system files, there were two very suspicious-looking files: autorun.inf and MS32DLL.dll.vbs.

Autorun files are only supposed to be used in removable media, like installation CDs. The fact that this was on the hard drive was incredibly suspicious. I deleted it, and opened the VBS file in Notepad. Of course, it was malicious. Using Windows API registry functions, it enabled the Autorun feature and copied itself onto every drive on the system every two minutes, and set itself to be executed on every startup. It also modified the user's home page, among other annoying things.

So, basic lesson to learn from this:
1) DISABLE AUTORUN. This will stop a lot of viruses from spreading from one drive to the other. You can do this by opening regedit.exe and modifying the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer

There should be an entry with the name NoDriveTypeAutorun. Set it to 0x95 to disable autorun on everything but CD drives, or 0xB5 (the letter 'B', not the number '8') to disable it on all drives.

Note: the following menu commands are for XP and previous versions. Vista has a different menu, which I forget at the moment. I'll edit this as soon as I find it.

2) Enable viewing hidden files. In Explorer or My Computer, go to Tools > Folder Options > View and select "Show hidden files and folders." If you want, you can disable hiding operating system files as well, but I don't really think it's necessary unless you suspect you have a virus.

3) Disable hiding file extensions. You have no idea how many viruses depend on this for hiding, especially email viruses. Again in Explorer or My Computer, go to Tools > Folder Options > View and uncheck "Hide file extensions for known types."

5) Keep a close eye on what you stick in your computer. If you're sticking in a questionable flash drive, check the root directory first either through the DOS prompt or Explorer, not My Computer, as it will execute whatever autorun script is there.

[Jordan]

While I immediately see the logic behind this, I've never once thought of this. In the same thought, I've never had this problem because I have antivirus software. +rep

[dargueta]

They did at school, too. The problem was that the script was interpreted by wscript.exe which was a trusted component or something stupid like that, so it just slid right by.

[WingedPanther]

Oy. I hate cleaning up crap like that. I'm a firm believer in killing autorun.

[BlaineSch]

I have always viewed known file types just so that I can edit stuff from like .dat to .txt or something easily.

I never realized you could stop auto run, there are probably tons of things you can do in the registry, ah I remember I played with it once... heh... always make a backup!

+Rep!

[dargueta]

Definitely always make a backup. I've learned the hard way several times. Once I had to create a new user, load the broken user's registry settings, modify those, save them back, log in as the old user and delete the new user. Took me forever. (And thanks for the rep.)

[Sanders]

I thought it is temporary problem B4, seems wrong
Thanx, learned a lot!