Autorun.inf :Removal,Threats & Countermeasures.(Part-I)

What is an Autorun.inf ?

It is just an instruction file which tells the operating system what executable file to use,commands and other programs to launch automatically.Actually it is not a virus but i will show you how it can be used to run malware/virus codes.A autorun.inf  can be opened  with a text file format and i will show you how to edit it.
 Threats imposed by Autorun.inf :

As i said before that it is not a virus but it can be used to execute virus code/malware,I will explain this through a simple example below.
[autorun]
open=Viruscode.bat----------(1)
icon=Viruscode.ico
[autorun.mips]
open=filename2.exe----------(2)
icon=filename2.ico
[autorun.alpha]
open=filename3.exe----------(3)
icon=filename3.ico
a)In the above examples you can see  the first "open=" is assigned to a ".bat" file,by batch programming a killer virus can be made and put in the same folder containing the autorun.inf so it can be executed automatically.Suppose the autorun.inf in there in the USB,when the USB is plugged in then the autorun.inf file will launch the ".bat" file there by the commands in the ".bat" file get executed.
 c:\windows\system32\shutdown -s -f
The above code can be copied to a text file and saved as ".bat" extension,when executed it will shutdown the PC forcefully.It is just a simple example with batch file more extensive damage can be done with it.

b)The filename2.exe can also be a Trojan/Keylogger.

c)The filename3.exe can be a exploit for the vulnerabilty of the system.

Autorun Disabling:

One of the secured way is to disable the autorun option in Windows xp,Vista.For doing that you have to install the corresponding patch/update file from windows.
-Update for Windows XP (KB967715)(DOWNLOAD)

-Update for Windows XP x64 Edition (KB967715)(DOWNLOAD)

-Update for Windows 2000 (KB967715)(DOWNLOAD)

- Windows Vista must have 950582 update.
We will use the registry edit to disable Autorun option.

For Vista and  Xp,this method is used to disable autorun feature in all the drives.
 Note:Click on the images to zoom them.
1)Click Start & type Gpedit.msc in"run" for Xp and in "start search box" for Vista and follow the instruction as shown in the image below.

2)After selecting the properties use the "enabled option" and use the appropriate option from the drop down menu as shown in the image below.

3)Now apply and restart the PC,its done after that.


Method 2:
This method has more fuctionality than the previous one as you can disable autorun option for specific drives.

1)Click the start button and type "regedit" in the run box and hit enter.

2)Now search for the following path :
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutorun
Now follow the instruction given in the image below.

3)Right click and select modify,put the appropiate hex value as shown in the images below.

4)Use the appropriate Hex value in the Value data space,below the Hexcode and the corresponding function is mentioned.
Image source:Microsoft support.

5)Click ok and restart the PC,its done after that.

Autorun.inf can be removed by Command Prompt and few Tools also.....so visit for the Part-II of this post.

If you find this post worthy to read then do drop a comment...it will be appreciated.

IF YOU LIKED THE CONTENT OF THIS BLOG THEN DO "VOTE" FOR IT........Click here to Vote!
Suggest Article

Subscribe to Posts....

Enter your Email-ID and get "Security Tips and Hacking Tutorials"alert in your inbox,we promise to keep your email private and safe.

comment 3 comments:

Prajith on August 10, 2010 at 8:22 AM said...

Hmm! seems to be very useful tool. Thanks for sharing

Shekhar Sahu on August 10, 2010 at 9:18 AM said...

Informative post, you can remov this w/o any tool, check my blog.
thanks

Satyajit (Admins,a.k.a Satosys) said...

@Prajith Thanks for visiting..... :) here i have just used a registry edit but look out how to remove it using tool and commands....in Part-II

@Shekhar Thanks for vising... :)yeah it can be removed without using tool...look out for how to: tutorial in Part-II.

Post a Comment

This blog is "DoFollow",Use a "Real Name" rather than using "Keywords" otherwise comment will be rejected.

Delete this element to display blogger navbar

 
© 2013 SecurityHunk All Rights Reserved and Template by Fresh Blogger Templates