Worm Infections Via Windows AutoRun

As useful as it may seem, AutoRun can get you in a lot of trouble. It is helpful when a new disc is inserted or you plug in a flash drive, automatically launching installers, but this can pose a serious risk for your computer's security. If you do not know in advance what data is stored on a disc or on a USB key, chances are your computer may get infected.

Here's how it all works. In both Vista and XP AutoPlay it is enabled by default. The moment you insert a disc, AutoPlay will automatically prompt you for an action. But, if it has an autorun.inf file at the root, Windows will execute all the commands included in that file. This file generally contains instructions for launching an installer, splash screen or another file of some sort.

The same happens with USB flashdrives. The moment they are plugged into a computer, AutoPlay will kick in, displaying the options for the device and Windows will look at the root for an autorun.inf and will automatically execute the commands included. AutoPlay can be disabled with not too much fuss in Vista. Going into the "Properties" window of the drive and choosing "AutoPlay", you can customize the actions to be taken when a disc is inserted. Taking no action will still run the contents of the autorun.inf file, and turning it off will not prevent Windows from executing the commands included in the AutRun.inf file located at the root. It will only stop displaying the automatic menus, but the commands in AutoRun.inf will still be obeyed.

The trouble is that the little file containing a set of commands can be the trampoline for any kind of malware stored somewhere on the USB key. The worst part is that the nasties can be launched without your knowledge and multiply to any other drive available on your computer.

Luckily, there is one solution for disabling the running of an autorun.inf file without too much effort. The downside is that, when inserting game discs, the installation screen will no longer appear automatically and you will have to give it a manual jump start. But hey, at least no malware will make its way inconspicuously to your computer (AutoRun files can also be executed when accessing removable media).

Here's what you have to do: paste the following in Notepad and save it under any name you want, but with .REG extension. Once this is done, all you have to do is add it to the registry by double-clicking on it.

REGEDIT4
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionIniFileMappingAutorun.inf]@="@SYS:DoesNotExist"

It involves adding a new key to the registry, telling the operating system how to handle autorun.inf files. The principle is simple: the OS is told not to use the values inside the file, but instead to go to an inexistent location in the registry, in order to find the values that will be used. As the value is inexistent, the system will treat autorun.inf as if it would be completely empty, so nothing will be executed behind your back.

As I said before, all software on an inserted disc will have to be launched manually. That's an inconvenience I would gladly take, in order to keep my computer as malware-free as possible. However, if you want to reverse the operation and enable AutoRun again, all there is to do is deleting the key from the registry. Everything will get back to normal and AutoRun will be executed each time.

I know the solution is not quite a comfortable one, as deleting the entry in the registry requires a system reboot, but system administrators will be able to reduce worm infection risk. Plus, a manual launch of an executable never hurt anyone; it eliminates the automation of the process, but you will see in time that it is not that bad.