What Utility can block scripts auto-running from flashdisks?

Dear All,

In my country, viral infections now spread through flash disks. Many an entrerprising programmer (read: hacker) created a virus that's effectively an autorun.inf, and a VBscript with a name such as "win32.dll.vbs".

Infection happened when an unsuspecting user chucks in a flash disk into an infected computer. The virus/worm will then create those two files on the flash disk. The flash disk now becomes a vector, carried to another PC, chucked in again, and the autorun.inf executes the win32.dll.vbs script.

Well-known antiviral programs, although they *can* clean the infection, are at a disadvantage because they don't get the virus sample until a user submits it to them. Some scripts are even able to delete the antivirus in the Hard Disk.

What I want to know is, how can I protect my computers from such flashdisk-based worms? What steps to take, and/or what programs to install?

I have tried the free EXE Lockdown from HDS, but on my main PC it conflicts with Firefox causing a BSOD.

Do you have other recommendations?

Thanks in advance.

 

You could try Script Sentry to block scripts.

 

Disable the Autorun feature

 

ScriptSentry and similar programs block Windows from invoking the Open command as entered in the Registry
when a user double-clicks on a script file (I'm using the finjan.vbs test file):


_____________________________________________________

Unfortunately, these programs will not prevent the file from running via a command to start wscript.exe.

Make a test AutoRun file with this syntax:

Code:

[AutoRun]
shellexecute=wscript.exe finjan.vbs

Put the Autorun.inf file along with yourtestfile.vbs in the root of a flash drive or external USB HD.

Or run this command from a Command Prompt or from within a batch file:

Code:

start wscript.exe finjan.vbs

The .vbs file will happily oblige:


___________________________________________________


----
rich

 

With TweakUI you can disable Autorun.. I did it today

 

Hello, pepoluan,

I was curious, so I took time this evening to look a bit more closely at this. First, these "enterprising programmers" maybe didn't have to create anything - this autorun/vbs exploit has been around for a while and code is readily available to copy|modify from the internet.

A couple of write-ups describe how the technique works:

Worm.VBS.Solow.A
http://www.bitdefender.com/VIRUS-1000187-en--Worm.VBS.Solow.A.html

VBS/Small.Sasan.A - VBS script virus
http://www.avira.com/en/threats/section/fulldetails/id_vir/4012/vbs_small.sasan.a.html

User precautions:

1) Someone using a flash disk in another computer can view the contents of the flash disk before removing it -- using the "dir" command from a Command Prompt to check for Hidden files.

2) People permitting someone else's flash drive to run on their computer can temporarily disable AutoRun by holding down the left SHIFT key as the drive is connected, or by unchecking AutoRun in TweakUI, as HURST suggested, and then view the contents of the drive as above.

Since the Autorun.inf file has:

Code:

 shellexecute=wscript.exe

a program that can block specific executables might work.

One of the scripts modifies the Registry. A Registry Watcher program might help here.

Other people may have some suggestions...


----
rich

 

This has been happenning to me very frequently: Plugging into my computer a 'flash disk' or 'memory sticks' it would instantly trigger a reaction from the Antivirus. All of the advice given so far is good, in my case i've always had my system sandboxed, with an antivirus running.

A sandbox is perfect for such a situation, the only problem is that if you want to retain some of the stuff from the flash disk you should make sure that it is clean, which means you need some kind of anti malware.

Sandboxes/virtual systems that you can trial are: DeepFreeze, Returnil (free for personal use), PowerShadow, ShadowUser/Surfer, Sandboxie (free). There are more and a search on the Wilders forums will give a lot of info. Returnil is worth trying first, as it is free and very effective, their support is also remarkable.

 

Were these your disks? If so, how do you think they became infected? What was on the disks that triggered your AV?

EDIT: never mind - I remember from a previous thread - you load students' disks onto your computer.


----
rich

 

I had that when plugging my USB-drive in a friends laptop. My AV never jumped, but when I plugged it in his, his AV (NOD32 2.7) warned about autorun.inf

 

Last week a colleague plugged in his flash disk into a workstation that I frequently use (not my personal workstation, but my 'other' workstation in the office).

The next day I used the computer and discovered that I can no longer double-click on the C: or D: drive icons on the right pane of Explorer to open them drives. Having read about autorun.inf worms, I feared the worst.

I opened IE, and sure enough, IE's title bar has a message from the worm maker. Based on the language used, the worm is a 'domestic' worm, i.e. created by a fellow countryman.

So I did a quick perusal, and indeed "dir c:\ /a" shows an autorun.inf running some .vbs script. I quickly solve the problem by deleting autorun.inf and the .vbs during boot (it refuses to be deleted from within Windows. The delete would succeed, but within minutes the autorun.inf will be resurrected).

The horror of the story is: I am using the most-up-to-date NOD32 v2 on that computer (auto-update every hour, as is the default of NOD32)

So much for antivirus protection on autorun.inf

 

That is a fact of life in the AV world. I'm sure NOD32 (and all AV companies) add files to their updates as quickly as possible after they detect them.

If someone encounters a new variant between their updates, then...


----
rich

 

This program can accomplish many of the things mentioned above easily.
http://xp-antispy.org/index.php?option=com_remository&func=sellang&iso=en

 

And indeed it does!

I connected my external USB drive which has the test autorun.inf and .vbs files. The code for the autorun.inf is

Code:

[AutoRun]
shellexecute=wscript.exe finjan.vbs 

and upon connecting the drive, the action is blocked:


_________________________________________________________


Nice utility!


----
rich

 

Thanks. A nice little program indeed.

 

You can do the same thing with the Tools section of AVG-AS, if you don't want to do it manually.

Personally, I have execution protection for wscript.exe and cscript.exe. Additionally I've set the My Computer zone to 'High' so that .vbs scripts do not run off the desktop, unless I want them to.

 

Ah, thanx for the inputs, guys!

Will surely disable scripting host, as I never use it anyway.

 

Hello,
You can also: Start > Run > gpedit.msc > User Configuration > Administrative Templates > Windows Components > System > Turn off Autoplay, switch to enable.
Mrk

 

Okay, regarding EXE Lockdown BSOD-ing my PC (see my first post), I found the cure:

I have to first click "Scan HDD" in the EXE Lockdown control panel.

Now, all is well