I encountered my first infected customer PC at work today that successfully managed to infect my 16GB Cruzer U3 drive (as well as a drive that my co-worker uses). It created a hidden autorun.inf file that contained the contents:

[AutoRun]
shellexecute=E:\m.exe /s
Action=Autorun

It also placed a hidden file called "m.exe" in the root folder, with a Skype icon associated with it. AVG detected a trojan horse by the name of SHeur2.MMC in that file (Virtumonde, I believe... rather tenacious).

As a temporary quick fix for work-related purposes, I deleted both files from my flash drive and instead created a *folder* (not file) with the name of "autorun.inf" and changed the attributes on it. I cannot be 100% certain of any variant of the trojan's effectiveness at bypassing that workaround, but this particular workstation was no longer able to infect my flash drive once the "autorun.inf" placeholder folder was created on it.

I'm sure I'll get to test that further very soon, as another PC belonging to a different customer was infected with a similar trojan. She has never had any problems until very recently when her accountant brought her QuickBooks company file back to her on his flash drive. There's no telling how many of his own customers around town he has infected by now, but I fear that one person alone has already done immense damage... and that's just one single person.

I hope this is helpful to someone. If anyone else cares to try creating an "autorun.inf" placeholder folder on their flash drive, I would love to hear about your experiences with it.

What a waste of time and effort. In Vista and Windows 7 - Just open your control panel, click on the autoplay icon, and then un-tick 'use autoplay....' That seems to stop autorun.inf for me.

For those not using Vista or Windows 7 - Best of Good Fortune to you - You're need it!

The true waste of time and effort will fall on the shoulders of those who would follow your advice which does not effectively (or even remotely) disable Autorun... on ANY version of Windows.

Whoever gave this poster a positive score needs to have their head examined.

Disabling AutoPlay alone is NOT the answer, and people need to stop perpetuating this nonsense.

More steps need to be taken, and those steps have been outlined below in great detail... more than once!

How about one more for the road?

http://antivirus.about.c...ps/ht/vista_autorun.htm

This guy has the best method of disabling the Autorun feature within Windows... and it was dated 23 October 2007. It's the same method I posted below, but it's explained a bit more thoroughly.

http://nick.brown.free.f...7/10/memory-stick-worms

This registry value completely (and effectively) disables Autorun, yet does not prevent Windows from properly unmounting ejected media, nor does it prevent it from recognizing new devices and properly mounting new volumes.

It should be noted that any custom icons that are displayed for the corresponding drive while the media is inserted will no longer appear in Windows Explorer (one of the features of autorun.inf), but the volume label will display correctly.

It should also go without saying that installers for CDs/DVDs will no longer run automatically once inserted, requiring you to manually navigate to the setup files.

One major downside (for me, at least) is the apparent inability to run the U3 Launchpad on capable flash drives. I have yet to find a workaround, and it's quite frustrating.

Also, to revert back to the way Windows was before is a simple matter of deleting the registry key. No harm will be done, as it is a key that never existed in the first place.

Microsoft does not recommend this method... but then again, they have a habit of sacrificing security for the sake of simplicity for all (though they have been making admirable progress in that area over the past couple of years).

Oh, and disabling AutoPLAY is not required.

The fact that millions of people are amazed and confounded by the automatic nature of the "autorun" (or autoplay) feature in Windows is truly sad and a clear indication that Darwin was right.

Now that the gubmint has taken over the job of protecting people from their own (potentially fatal) stupidity, we are virtually assured of generation after generation of new, stupid people to be preyed upon.

Please. Just like with chainsaws - if you don't know how something works you probably ought not touch it.

You mean kinda like how most people (yourself included) do not know that Autorun and AutoPlay are two completely different features that perform two completely different tasks? :-)

Simply disabling AutoPlay does NOTHING whatsoever to the PC's ability to automatically parsing Autorun.inf files on removable media once inserted.

Good article here Tim.

The downandup worm really caught my attention for the fact that it has infected 9 million computers and counting, according to reports. This worm is easily transmitted via USB flash drives.

To help those whose computer were infected, I'm offering a removal solution.

http://coolbusteratyours...r-remove-downandup.html

I hope you will dissiminate this information.

Now something is confusing me. Why haven't they made a fix for Windows 7 users?
I remember the other day them mentioning that its hitting every version and that the MS08-038 fix is available for all versions of Windows including 7.
I checked the site and I googled the security bulletin and there is no download for Win7 anywhere.
I did notice they also took the XP, 2000, and Server 2003 downloads down and put them in the non-infected software list basically saying only Vista & Server 2008 are affected.

http://www.microsoft.com.../Bulletin/MS08-038.mspx

What the heck is going on and why isnt there a fix for Windows 7 yet and why have they took the fixes down for the other versions?

It looks to me like it is not a vulnerability in 7, at least in the 64-bit code I am running. I searched my registry and found only the following key that even mentions it:
HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7000.0_none_4e9a4504b0585ee7

It looks like it is all controlled in Control Panel>All Control Panel Items>AutoPlay
You can simply uncheck the box that says: "Use AutoPlay for all media and devices" and it will disable it completely.

AutoPlay and Autorun are NOT the same thing.

Autorun was something introduced with Windows 95, and AutoPlay was introduced with Windows XP. They perform different tasks.

AutoPlay will present a menu asking what action needs to be performed based on the type of files present on the device or media... of which one of those options is 'Open Folder to View Files using Windows Explorer'.

Simply disabling AutoPlay does not remove the ability to perform that option yourself through Windows Explorer... and the default option for doing so is to Autorun when that happens (it's the option in bold type when you right-click to view the context menu for the removable device).

@maxheat2009

Many sites that give detailed instructions on how to protect your PC from this threat are referencing security bulletin MS08-67, which is a more recent update to address the vulnerability in the Server service (Oct 23, 2008 versus July 8, 2008).

http://www.microsoft.com.../Bulletin/MS08-067.mspx

Windows Server 2008 is listed in this bulletin, but I am not entirely certain if Windows 7 is covered... or even necessary, as it has been listed as 'Critical' for 2000, XP, and 2003, yet 'Important' for Vista and 2008.

I also would have thought that since Windows Vista and Server 2008 were fixed via Automatic Updates (as the article suggests), it would have been reasonable to assume that Windows 7 fell into that category. However, I have seen no such update in the history on either of my Windows 7 PCs. *shrug*

Thanks for the info, but something quite interesting had happened last night which is probably the reason they gave the information about the Win7 patch, but never upped it. Windows Defender automatically updated and cleared the entire worm within seconds. Looks like Microsoft have finally got their heads screwed on lol.

@ NunjaBusiness. Just noticed, if your system is 64bit how come it says x86 in your registry? x86 is 32bit lol. I think I'm safer listening to the others sorry.

With all the expertise the good guys have at their disposal, why are the bad guys still able to launch this type of attack and get away with it. Those behind this latest bit of nastiness, are they now congratulating themselves on a job well done, or cowering in a room awaiting a knock at the door because this time they may have gone too far ? Also hope if they are ever brought to justice, they don't end up being employed by some security firm or other on a huge salary in recognition of the chaos they have brought about.

"Microsoft also published guidance on how to mitigate infection attempts using Autorun... Information can be found *here*."

Where, Tim? :-)

By the way, the s*** key has worked since Windows 95, but it's not 100% effective (mostly attributed to requiring the end user to simply press the key).

The methods described in the article are also ineffective because they do not prevent the autorun.inf from loading if the media has been inserted and recognized by Windows before the NoDriveTypeAutorun registry setting has been modified. The MountPoints2 registry key is responsible for that.

Try this method (link provided below):

Block AutoRun for all devices all the time

You might think that you could protect yourself from AutoRun by using two keys in the Registry known as NoDriveAutoRun and NoDriveTypeAutoRun.

However, these keys can be overridden. A Registry key named MountPoints2 stores information about all USB flash drives and other removable media that have ever been connected to your computer. This cache overrides the Registry settings that turn off AutoRun.

The solution is to globally block autorun.inf files from executing, without trying to use the dialog boxes in XP and Vista to do this. Here's the procedure:

Step 1. Start Notepad or another text editor.

Step 2. Copy the following text from this page and paste it into your text editor (everything between the square brackets should be all on one line):

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Step 3. Save the file with a name like NoAutoRun.reg, taking care to include the .reg extension.

Step 4. Right-click your .reg file and choose Merge. Confirm any warning prompts to add the information to the Registry.

UPDATE 2009-01-21: As an extra precaution, it's a good idea to reboot your PC after Step 4, on the off chance that some old information was residing in cache memory.

The next time you insert a flash drive, CD, DVD, or other removable disc into your system, Windows will not execute the information in any autorun.inf file that may be present.

Naturally, taking these steps means that the next time you put a game or installer disc into your CD or DVD drive, its software won't launch automatically. You'll have to open a Windows Explorer window or use a command line to launch the desired executable.

The benefit is a big one: a rogue program that you never intended to launch won't silently take over your system if you happen to insert a Trojan-carrying disc into a drive.

http://www.windowssecret...revents-Autorun-attacks

Some also suggest deleting the MountPoints2 registry key (which stores cached information about every device ever connected to the PC), but advice caution due to possible unconfirmed adverse effects to the rest of the OS.

Great post. Thumbs up!

"US-CERT notes that the fix was released via Microsoft Update to Windows Vista and Server 2008 as a part of the MS08-38 security bulletin, but Windows 2000, XP, and Server 2003 must manually install the update."

While everyone was so quick to blame idiot users ( a term I wouldn't dream of touching...), while they may indeed be idiots, it is becoming clearer that they aren't the only idiots included in this relationship...

Sorta gives a new meaning to "automatic updates"...

;-)

Why do I get the feeling that those who jumped on "10 free DRM free files included for a $14.95/month subscription" would be all over that deal!

Please, you're good at dreaming.... [smiles]

What exactly was he dreaming about?

You know, there's actually nothing wrong with posting something helpful and actually relative to the article.

Oh look... a Canadian link!

Different methods of disabling Autorun (and their effectiveness explained):
http://www.securitepubli.../2008/tr08-004-eng.aspx

Foxfyre.....What?

Who voted for you ? I think this forum needs to know, questions need to be asked. Will the member who gave foxfyre a score of 1 please make themselves known. We're waiting !

You can give yourself thumbs up.