OK, so this won't get rid of all the autorun.inf style viruses and there are other ways but at least it allows you to setup the machine the way Microsoft should have a long time ago (they do this as a default now for Vista and Server 2008).
History: The Autorun/Autoplay feature in Windows has been around for a long time. It was primarily started for the audio CD's as welll as an automated way to lauch a program when inserting a data CD (i.e. a software installation CD). I'm not sure when (perhaps as far back as the Windows 9x days) but I'm thinking that an autorun.inf could have been setup on a network share and if it pointed to an executable with mal intent, it could have spread a virus.
Today: Eventually as technology emerged, things like USB drives were added to things that a computer could "mount". So now, some malicious code writers use the autorun.inf feature to automatically launch their code when a drive is mapped or a USB drive is inserted. I could go into more details about the autorun.inf viruses but really, I'm here today to show you how to stop the autorun.inf's from happening on things you don't want them to.
Microsoft released an article regarding this issue in February. http://support.microsoft.com/kb/967715 This is the most recent article about How to correct "disable Autorun registry key" enforcement in Windows. It has the link to download the hot fix 967715.
You can read the articles for more details and to see what options you have for setting the drives you want to disable from autorun/autoplay. For my example below, I chose to allow CD/DVD's and USB drives to autorun. If you want to make it tighter, just change the registry key value to include disabling the USB drives (use the value of 0x95)or all of them all together (0xFF). You just have to do your hexidecimal math.
The hotfix almost always requires a reboot (haven't seen one yet in my testing that didn't). If you haven't altered your registry or local policies to disable the autorun/autoplay feature altogether, the hot fix will set up a key in:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer called HonorAutorunSetting. This gets set to 0x01.
It also adds a key to:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer called NoDriveTypeAutoRun with a default value of 0x91 (for Windows XP).
The last key above can also be added to the HKLM portion of the registry as well. I tested it on an account with local admin rights and one that never even had a profile and wasn't in the local admin group and it created the HKCU key and the autorun/autoplay behavior was what I expected it to be.
So, kudos to Microsoft for helping us in our fight against autorun.inf viruses.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment