Jump to content


Check out our Community Blogs

Register and join over 40,000 other developers!


Recent Status Updates

View All Updates

Photo
- - - - -

Stopping Autorun Viruses


  • Please log in to reply
6 replies to this topic

#1 dargueta

dargueta

    I chown trolls.

  • Moderator
  • 4854 posts
  • Programming Language:C, Java, C++, PHP, Python, JavaScript, Perl, Assembly, Bash, Others
  • Learning:Objective-C

Posted 28 August 2009 - 05:49 PM

I was at work one day when a coworker came to me, saying that they were unable to access their hard drive through My Computer. Double-clicking on the C: icon popped up a mysterious message box:

ERROR: File not found: C:\MS32DLL.dll.vbs.

* This was over a year ago, so the actual error message might've been slightly different. I'm just writing it from memory.

Now this looked really suspicious for multiple reasons:
1) Windows by default hides extensions to known file types. This means that the file would normally show up as MS32DLL.dll, which would appear to be a legitimate file.
2) The .vbs extension is for VBScript files. What is a VBScript file doing in the root of the hard drive?
3) Why is Explorer trying to execute it when the drive is opened?

I right-clicked on the C: drive, and clicked "Explore". Sure enough, after enabling showing hidden and operating system files, there were two very suspicious-looking files: autorun.inf and MS32DLL.dll.vbs.

Autorun files are only supposed to be used in removable media, like installation CDs. The fact that this was on the hard drive was incredibly suspicious. I deleted it, and opened the VBS file in Notepad. Of course, it was malicious. Using Windows API registry functions, it enabled the Autorun feature and copied itself onto every drive on the system every two minutes, and set itself to be executed on every startup. It also modified the user's home page, among other annoying things.

So, basic lesson to learn from this:
1) DISABLE AUTORUN. This will stop a lot of viruses from spreading from one drive to the other. You can do this by opening regedit.exe and modifying the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

There should be an entry with the name NoDriveTypeAutorun. Set it to 0x95 to disable autorun on everything but CD drives, or 0xB5 (the letter 'B', not the number '8') to disable it on all drives.

Note: the following menu commands are for XP and previous versions. Vista has a different menu, which I forget at the moment. I'll edit this as soon as I find it.

2) Enable viewing hidden files. In Explorer or My Computer, go to Tools > Folder Options > View and select "Show hidden files and folders." If you want, you can disable hiding operating system files as well, but I don't really think it's necessary unless you suspect you have a virus.

3) Disable hiding file extensions. You have no idea how many viruses depend on this for hiding, especially email viruses. Again in Explorer or My Computer, go to Tools > Folder Options > View and uncheck "Hide file extensions for known types."

5) Keep a close eye on what you stick in your computer. If you're sticking in a questionable flash drive, check the root directory first either through the DOS prompt or Explorer, not My Computer, as it will execute whatever autorun script is there.

Edited by dargueta, 29 August 2009 - 08:23 AM.

  • 2

sudo rm -rf / && echo $'Sanitize your inputs!'


#2 Guest_Jordan_*

Guest_Jordan_*
  • Guest

Posted 28 August 2009 - 05:53 PM

While I immediately see the logic behind this, I've never once thought of this. In the same thought, I've never had this problem because I have antivirus software. +rep
  • 0

#3 dargueta

dargueta

    I chown trolls.

  • Moderator
  • 4854 posts
  • Programming Language:C, Java, C++, PHP, Python, JavaScript, Perl, Assembly, Bash, Others
  • Learning:Objective-C

Posted 28 August 2009 - 06:10 PM

They did at school, too. The problem was that the script was interpreted by wscript.exe which was a trusted component or something stupid like that, so it just slid right by.
  • 0

sudo rm -rf / && echo $'Sanitize your inputs!'


#4 WingedPanther73

WingedPanther73

    A spammer's worst nightmare

  • Moderator
  • 17757 posts
  • Location:Upstate, South Carolina
  • Programming Language:C, C++, PL/SQL, Delphi/Object Pascal, Pascal, Transact-SQL, Others
  • Learning:Java, C#, PHP, JavaScript, Lisp, Fortran, Haskell, Others

Posted 28 August 2009 - 06:50 PM

Oy. I hate cleaning up ** like that. I'm a firm believer in killing autorun.
  • 0

Programming is a branch of mathematics.
My CodeCall Blog | My Personal Blog

My MineCraft server site: http://banishedwings.enjin.com/


#5 BlaineSch

BlaineSch

    CC Leader

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1559 posts

Posted 28 August 2009 - 08:43 PM

I have always viewed known file types just so that I can edit stuff from like .dat to .txt or something easily.

I never realized you could stop auto run, there are probably tons of things you can do in the registry, ah I remember I played with it once... heh... always make a backup! :D

+Rep!
  • 0

#6 dargueta

dargueta

    I chown trolls.

  • Moderator
  • 4854 posts
  • Programming Language:C, Java, C++, PHP, Python, JavaScript, Perl, Assembly, Bash, Others
  • Learning:Objective-C

Posted 28 August 2009 - 08:45 PM

Definitely always make a backup. I've learned the hard way several times. Once I had to create a new user, load the broken user's registry settings, modify those, save them back, log in as the old user and delete the new user. Took me forever. (And thanks for the rep.)
  • 0

sudo rm -rf / && echo $'Sanitize your inputs!'


#7 Sanders

Sanders

    CC Newcomer

  • Just Joined
  • PipPip
  • 11 posts

Posted 05 January 2010 - 06:37 PM

I thought it is temporary problem B4, seems wrong
Thanx, learned a lot!
  • 0




Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download