No Autorun

Does Windows fully disable autorun feature? I ask, because, I see a difference between USB Vaccine and Windows autorun group policy. With USB Vaccine, for example, flash drives that display icons, won't display them. With Windows autorun group policy, it will be displayed.
So, this makes want to ask what could happen in the situation an icon could be be infected? If the icon is loaded, the malware will start? Or, the malware won't be able to execute, at all?

 

When you run this did you use a stick that had U3 software or none?

 

No U3, a normal USB.

 

That's disturbing. It sounds like it's dormat (where we can't see it visually unless you run this app). If I try this software can it be reversed where you can write to it? If so, that could definitely be handy. From what I can see you install it on your computer not the usb stick.

 

I don,t understand you fully.

You can reverse it very easily.

 

There are so many ways to disable autorun in Windows - some seem to be effective, others not, depending on whom you read.

I have found the Microsoft Power Toy, TweakUI for XP, to be effective on several WinXP SP2 and SP3 systems on which I've installed it.

It controls the NoDriveAutorun key, rather than the NoDriveTypeAutorun key.

NoDriveAutorun is configured at

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

A brief description:

AutoRun
http://en.wikipedia.org/wiki/AutoRun#NoDriveAutoRun

However, this Key really controls AutoPlay:

Microsoft® Windows® XP Registry Guide
http://www.microsoft.com/mspress/books/sampchap/6232a.aspx

Screenshot of that Key in the Registry:



And TweakUI. You can see the category, AutoPlay. Checking/unchecking a drive letter sets the values automatically in that Registry Key:



Naturally, if the drive cannot Autoplay, the Autorun.inf file will not execute its commands.

Whether a user chooses one of Microsoft's methods -- Group Policies, manual Registry tweaks -- or, TweakUI which enters the values automatically in the Registry-- or the No Autorun product discussed here -- My advice is to thoroughly test on the system. Just use a simple autorun.inf file on USB drive to start the calculator:

Code:

[autorun]
open=calc.exe

Also, insert an installation CD - the setup file should not start automatically.

----
rich

 

Correct me if I'm wrong but I thought this was a read process only when you use this software. Did you install on the computer or the usb stick?

 

It does not. There's actually an option on the GUI that allows you to keep Autorun for cd/dvd. But it's unchecked by default.

Any time you want, you just uncheck the option that says "USB Disk Soft Write Protect" and back to normal.

That's right, and in fact it doesn't require any installation at all. You can move it to any folder you want. It's just an .exe that runs at startup.

 

Thank you,

But, not my doubt. My doubt was related to somefile.ico. Some autorun.inf files are set like this:

[AutoRun]
open=someexecutable.exe
icon=neat_name.ico

By disabling Autorun through Group Policy (I still haven't tried of Windows methods), the executable does not run. But, it does load the icon, while with Panda USB Vaccine, the icon won't load.

Now, my doubt is: In the possibility the icon neat_name.ico is infected, would there be a chance for the system to become infected as well (Considering no other measures are set in place.)? After all, the icon does load, so I'm guessing the malware would load as well?

I know it may sound a refuscated idea... but... in the possibility of happening, what would happen if this infected icon file loads?

I'm asking this based on the fact that Panda USB Vaccine fully prevents anything from being loaded, as I already mentioned. I'm just wondering if what Group Policy does is enough?

 

OK, I misunderstood, because icon loading is done from the Registry as it reads the autorun.inf file, and is not really a command like Open=

Thus, an icon will load even though autorun or autoplay is disabled.

the ICO file format is a media format, and I've never heard of an infected icon file exploit. Search around -- I may have missed it.

Even so, the *icon=* command writes that command to the Registry, and Windows then loads the icon file as the default icon for the drive. I don't know how it could do anything else.

I tried spoofing an executable, firehole.exe with the .ico file extension and put it on the USB.

Upon connecting the USB drive, the *icon=* command loaded the icon file of the executable as the default icon for the drive -- you can see the firehole icon at the top -- but as an executable file, it cannot run from that command.



Attempting to run any ico file in Windows loads it into an image viewer, and you will get a wrong-file format error:



So, there is no way a user could click on an .ico file and get it to run as an executable.

However, it will run from a command prompt, which doesn't care about Windows file associations. Since it is an executable, it will be blocked on my system:



Allowing it to run:



In order for a USB exploit to do this, it would need an autorun.inf command, which would not run of course, with autorun protection on. I may have missed something else, so think about other possibilities.

Nonetheless, if you are concerned, then yes, you should use that program which blocks the icon from loading.

----
rich

 

I d/l this program and opened the folder and don't see any .exe's to run it. How did you guys run this thing? Never mind, I had the wrong file.

 

Just d/l the .zip and than open it up, you should see 4 items, 3 of them are .txt files: License/ReadMe/ChangeLog and there's also an .exe named NoAutorun. So just double-click it and you'll get the GUI, where you can set the config, and that's it. I personally extracted the files to a folder under Program Files (running XP)...

 

This is a very handy little program, thanks for posting. I like how you can switch it from read only to write only when you need to.

 

Yeap it's very good at what it does.

 

No Autorun

UPDATE
Build 1.1.1.23 (2010-11-01):

* Added an option "Auto start via Task Scheduler (For Windows Vista and above)";
* Added an option "Open main window when detected suspicious files";
* Check all drives when program started;
* Fixed a UI bug on the main menu;
* Fixed two bugs on crashing;
* Fixed minor bugs.


http://sourceforge.net/projects/noautorun

 

Thanks, updated mine...

 

Not really. A format of the drive will get rid of the vaccination. You can also get rid of the vaccination from other non-Windows OS's.

Not true either. Panda USB Vaccine does either or both of the following: (1) turn off Windows Autorun and (b) vaccinate USB drives. The first part only affects autorun, not autoplay. Also from within USB Vaccine you can turn Windows Autorun back on if you want to.

 

@pbust
Thank you very much for your intervention in this thread. Now, I'd like to clarify I'm talking about my own experiences with Panda's USB Vaccine.
1) I wasn't able to rename my flash drives anymore even after re-formatting. Not a big deal, I know, but I much prefer being able to do it by myself.
2) There are some programs that do not like PUV. I really don't know why but they don't work even after unistalling them. Had to do a clean OS reinstall to get them working again.
There's something PUV does to the system that cripples some flash drives/programs.
Again, this is what happened to me and this is my personal point of view. I'm not bashing PUV nor do intend to discredit it. I just don't like it for the reasons mentioned above.

 

This should not have anything to do with PUV. After a format there's no traces left of PUV anywhere on the USB drive. Maybe some other software or config on your system is preventing this?

What kind of programs? You mean programs which were supposed to autorun? Can you provide some specific examples so that we may look into it?

 

Maybe, but the weird thing is that I wasn't having any problems likw this before installing PUV, and the same problems disappeared after I uninstalled it.

What kind of programs? You mean programs which were supposed to autorun? Can you provide some specific examples so that we may look into it?[/QUOTE]
Sure. It's been almost 2-years since I don't use it, so I'll have to give it a spin in a virtual environment. I also have to look for the conflicting programs but the ones that come to my mind are iTunes, Traktor, WinDVD... those are the ones I've always used... there are a few others but as I said, I don't use them anymore. So I'll get back to you as soon as I have chance to test them.

Pbust, thank you for your interest and thank you for your time!

 

No Autorun

UPDATE
Build 1.1.1.25 (2010-11-07):

* Added an option "Scan all disks at start";


http://sourceforge.net/projects/noautorun

 

That'd be great if you can find a reproduceable problem, thanks!