TweakUI AutoRun?

Is disabling autorun with TweakUI safe? Does it use the registry tweak described here?

 

Nope. TweakUI works to a point but apparently does not block all known methods. The Panda tool does appear to work for both the PC and flash drives. (The PC vaccination for Panda IS the method described at your link...
https://www.wilderssecurity.com/showthread.php?t=245571

 

Thanks. Do you know what method Tweak UI uses?

 

I assume you mean TweakUI for Win XP. See a description here:

http://www.urs2.net/rsj/computing/tests/autorun-TweakUI

----
rich

 

If you are running XP then the option is also available through gpedit.msc
Gpedit can also be add`d to XP Home. Doing a Google will provide the instructions.

Always preferred\trusted this method to 3rd party software. Closely followed by reg. tweaking.

 

This means that even if the autorun.inf file is suppressed from executing, clicking on the drive icon in My Computer, or any of the commands on the right=click menu will trigger the exploit.

This doesn't sound good, I will remove TweakUI

Edit: I tested the gpedit.msc method - if you click on the drive letter E: autorun.inf is also executed

 

Actually, the best approach, unless I misunderstood something, is to combine both Panda USB vaccine and TweakUI.

I'm setting a system with Windows XP SP3, and Panda USB vaccine won't prevent CDs/DVDs from auto running. TweakUI allows to prevent the autorunning.

I don't know why it (Panda's utility) won't prevent CDs/DVDs from auto running, but, perhaps, some problem handling with such in Windows XP?

 

A safe way is to access the removable media drive letter in the left pane of Windows Explorer (2-pane view of My Computer). Nothing on the drive will execute:

​

On Win2K and WinXP, the 'WIN Key + E' opens Windows Explorer.

Note that I made several folders and files Hidden but they display because I've configured Windows Folder Options to show Hidden stuff.

Some other thoughts:

• Unless you have a specifc need, avoid a U3-powered USB smart drive. Non-U3 types will not execute an Autorun.inf file.
  
  
• If you copy files to your computer from someone else's USB drive, access the drive in Windows Explorer as above to view the contents. If you see an autorun.inf file, ask the person if she/he knows it's there!

----
rich

 

Yes, but the autorun will start before. I don't know a possibility to simply turn off autorun! If you remember, even the 'DoesNotExist' registry key (in Panda USB Vaccine) doesn't work for all drives (-> MountPoints2!).

I would like to test this idea, how can I avoid these drives?

 

Sorry, I thought you had a solution for disabling Autorun.

Can you post a screen shot showing how the "DoesNotExist" registry key tweak is bypassed?

Regarding non-U3 smart drives:

Jus look on the package. It will say if it is a smart drive.

----
rich

 

1) I added the registry tweak

2) I opened Windows Explorer

3) I inserted the USB stick with the modified autorun.inf

 

I'm sorry but I don't understand what your screen shot is showing. What do you mean by a modified Autorun.inf file?

Does an Autorun.inf file execute with that Registry tweak enabled?

----
rich

 

A autorun.inf file which labels E: as 'This could be malware!' So it has been executed ...

Yes

 

Did you delete your MountPoints2 keys and then reboot before enabling the Registry Tweak?

To my knowledge, only if the autorun.inf information is in that Registry key will the autorun.inf file execute.

Nick Brown makes that point in his article on that Tweak

Also, some systems restore the MountPoints2 Keys on reboot, so careful testing/checking is necessary.

----
rich

 

Yes

You are right, they have been restored What can I do?

 

Use another Autorun.inf file to start calculator or something, and see what happens.

----
rich

 

I used this autorun.inf:

[autorun]
open=PAVARK.exe - didn't work!
icon=PAVARK.exe - worked!
label=Fake Malware! - worked!

I get this notice, what's wrong?

 

Look in your MountPoints 2 Key: if the 'open=PAVARK.exe' command is not there, it was prevented from being written to the Registry, so that open action failed.

Were the icon and label commands present from your previous Autorun.inf? If so they are still in the Registry, hence, they executed.

I suggested that you test with a completely different autorun.inf file that has nothing already in the Registry to show that the Reg Tweak does in fact block new autorun.inf commands from being written to the Registry, hence, the commands to execute fail.

----
rich

 

How can I do this?

I repeated the test with a brand new USB stick and a new autorun.inf - the commands icon and label still work. The open command didn't work, I also got no notice like in post #17 I don't know, maybe this is ok ..

 

Hello ance,


EDIT:

OK, you posted while I was writing!

Your test shows that the icon and label commands are still written to the registry but the Registry Tweak is preventing any new commands from been read/written.

Does this seem logical?


----
rich

 

If you are comfortable in the Registry, I can show you how to check the MountPoints2 key in WinXP.

----
rich

 

Is it ok?

Do you mean that the registry tweak 'only' block open but don't block icon and label?

 

I think Icon and Label are controlled by autoplay.

Try a new autorun.inf file with nothing but an Open command.

rich

 

I inserted a DVD, the autorun.inf only contains the open command - it doesn't work. Ahm, the same goes for the gpedit.msc method

So the registry tweak 'only' blocks open and nothing else - I didn't know this. Maybe I'll test this with TweakUI again.

Does the gpedit.msc method work like TweakUI or like Panda USB Vaccine?

 

I'm not really sure - I don't use the tweaks, I've just read about them. All I know is that the @donotexist prevents the autorun.inf file from writing to the Registry, where Windows "reads" the commands and then executes them.

Bojan at ISC did a good analysis of conficker, showing how the AutoPlay Prompt tricked users into running the execute command. You can see the Prompt and how the Action and Icon commands worked:

http://isc.sans.org/diary.html?storyid=5695

----
rich