Summary: Autorun is an increasingly used attack vector for malware. Common techniques to turn it off are incomplete. I'll show you how to turn it off, and recommend you do so.
There's been a rash of infections in recent months that can be traced back to infected USB or other removable devices being used to transmit malware from one machine to another. The culprit is autorun. Even if you think you have it turned off, I'm betting you don't have it turned off - not completely anyway.
Autorun (or autoplay, as it's sometimes known as or confused with), is a very convenient feature of Windows that, as its name implies, allows things to happen "automatically" when you insert a removable device such as a CD-ROM, USB Memory stick or attach a device like a digital camera.
And yes, absolutely, it's evil, and should be turned off completely as soon as you possibly can do so.
The reason is very, very simple: autorun can be seriously abused by viruses and other forms of malware.
•
Michael Horowitz, who blogs at ComputerWorld recently posted a series of articles on how the technology behind autorun can be used to run malicious software on your machine, or perhaps even worse, even fool you into running malicious software on your machine. In short, there's no way to truly trust that autorun won't do something you don't want it to do.
Michael's series of articles go into a lot more depth than I will here, and if you're at all interested into the details of what turns out to be quite the mess, I strongly encourage you to read the series. If you don't believe that there's an issue here, or if you believe you're safe ... I encourage you to read the articles. You may think differently when you're done.
The solution is to turn autorun off. Completely. And that's what I'll focus on here.
The Problem
I do want to at least touch on the many ways that autorun can impact you. I'm using the term autorun, but both the terms autorun and autoplay actually refer to a several different features that can be used for either good - or evil.
-
Automatic Playing: as the name implies, autorun can be used to automatically launch software, either already on your machine or on the removable media. This is good when it's the CD player software installed on your machine automatically playing the CD you just inserted, and it's bad when it's a virus that installs itself automatically.
-
Presenting Choices: instead of automatically doing something I'm sure you've all seen the list of "what would you like to do" options when you insert a camera or USB device into your PC. Autorun allows that device to control at least some of what those options are. This is good when the options make sense, and bad when the options added are crafted in such a way as to fool you into running malware that's on the device.
-
Describing The Drive: after you've inserted a removable device it often shows up in Windows Explorer with a descriptive name, with or without the drive letter, like "Fancy Software Installation Media (J:)". That can come from autorun information contained on the device. This is good if it's accurate, and bad if it's misleading and might cause you to think that the media is something other than it is.
-
Defining Double Click or "Open" actions: after inserting the device, even if you then see nothing automatically come up because you've disabled it in other ways, the autorun information on the device can define what happens if you double-click or "open" the drive. By now you can guess: that's great if what it does is something useful and appropriate, but it's bad if its instructions are to install malware on your machine.
As you can see any of the above are dangerous, and all of the above used in combination make autorun a ticking time bomb.
The Solution
The good news is that autorun has a single, and obvious, fuse: a file called "autorun.inf" that resides in the root of the removable device. All we need do to defuse this time bomb is to somehow cause that file to be ignored.
Here's the black magic:
REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf] @="@SYS:DoesNotExist"
(Those are three lines of text. Everything between "[HKEY_LOCAL_MACHINE ..." and "... Autorun.inf]" is on one line.)
And yes, this is some incredibly black magic that actually makes use of a Windows 95 compatibility trick to fool Windows (XP and Vista both) into completely ignoring the autorun.inf file on any inserted device. Period.
Problem solved.
Copy those three lines exactly to a text file, and save it as "autorunoff.reg" (make certain that the ".reg" part is exactly correct). Double click on the resulting file and the setting will be imported into your registry. You should get a couple of warnings from regedit as you do so. (And yes, for completeness sake, you should probably backup the registry beforehand, even though this is a very simple addition of a single registry item.)
Alternately, you can download it here: autorunoff.reg. Download (typically right-click and "Save-As") the .reg file and run it, assuming your security software does not interfere.
The Cost
Unfortunately, the solution does come with a bit of a cost.
Let's face it, when not used for evil autorun is kinda handy. That convenience goes away.
In the name of safety...
-
... programs will not get run automatically when you insert removable media. You'll need to manually open files or run programs appropriate to whatever it is you're doing.
-
... if choices of what to do are presented, they'll be generic to your system and the software already installed. They will not include any choices that would otherwise be custom to the device being inserted.
-
... the device will be described by only its disk label, if it has one, or its drive letter.
-
... double clicking the device will simply open up Windows Explorer on the device contents.
In my opinion, it's a very, very small price to pay. This way you know that you'll not get a virus from any removable devices you - or anyone else - happen to insert into your machine.
Related:
-
Test your defenses against malicious USB flash drives The first of Michael Horowitz's articles, showing you how to test for the various autorun vulnerabilities.
-
I found a USB thumbdrive, plugged it in and now my system won't work. What happened? USB Thumbdrives or flash drives are a non-obvious but easy way to spread malware. You should be quite careful when dealing with an unknown device.
-
How do I *really* disable auto-play in Windows XP? Auto-play can be a convenient feature but if it's not what you want it can be difficult to turn off and keep off. The TweakUI utility can fix that. (Important: Does not address all the vulnerabilities mentioned above.)
-
What's a Volume Name? A volume name is a descriptive name that you assign to disk. Some utilities require that you enter it before they'll do something risky or destructive.
Article C3649 - February 13, 2009
I absolutely hate AutoRun / AutoPlay; I've hated it since they first introduced it, it's extremely annoying not to mention a way to lose your OS or data or both:
consider the following:
an evil person puts a legitimate windows / dos program on a CD/DVD or USB device and uses autorun.inf to tell it to totally roast your C:\ drive, no AV or anti-anything will stop it because it's a legitimate part of the OS,
I use two apps to prevent autorun / autoplay
1> tweakUI
2> GPEdit.msc (XP Pro only not available on XP home)
in GPEdit there are two settings:
one in computer configuration and the other in user configuration
expand: "Administrative Templates" in both sections
then click on system,
under system is "Turn off Autoplay"
change it to enabled and in the drop down box select "all drives"
after doing this I have yet to see an autorun.inf run on any of my systems;
Posted by: Richard FDisk at February 18, 2009 10:23 PMI ran the tweak as advised. And now, whenever, I insert the USB drive in my PC, it shows "windows explorer has encountered an error and needs to be closed". Unfortunately, I didn't do a registry backup [lesson learnt the hard way]....I can't access my USB drive as it keeps on getting the message..please help me to restore the old settings...thanks..
Posted by: Vishal Soraisam at February 21, 2009 9:31 PMI implement this modification without backing up my registry first. Please tell me how undo this modification. Thank you.
Posted by: Larry Reznik at February 22, 2009 5:19 PMLarry
It seems Leo is too busy to reply....
FYI...Larry....
System restore helps....as it worked for me..hence..its bound to work for you as well....
Cheers...
Vishal
Posted by: Vishal S at February 25, 2009 11:49 PMNow my wife hates me. How do I reverse autorunoff.reg?
27-Feb-2009
I've read the article and the comments thoroughly.
I am unable to copy and post or download the fix.
it always saves as autorunoff.reg.txt not just autorunoff.reg. There seems to be no save option for .reg. Can any commenter help me.
thanks
rick
27-Feb-2009
FYI...Rick Ebert
Most computers using Windows OS, by default, hides extensions for known file type. Hence, you are unable to save it as .reg.
Go to My Documents > Tools > Folder Options > View > and untick the box of "Hide extension for known file types" & click Apply.
Now, right click on the autorunoff.reg.txt file & delete .txt
Posted by: Vishal S at February 28, 2009 9:03 PMThats it...
Hope it helps...
Cheers....
black magic did not work for me.
Posted by: pulkit at April 13, 2009 11:10 PMeven after following your instructions precisely.
i copied those 3 line above and pasted on a text document and saved it as autorunoff.reg as told bu you.
after that i run that file and changes in the registry were made(windows confirmed it by a prompt).
but then i inserted my pendrive and autoplay menu was there for me.
i use WINDOWS XP SP2.
So please help me out.
waitng for your reply.
thank you.
1. Run Naevius USB Antivirus.
Posted by: Steven77 at July 6, 2009 10:20 PM2. Click the "Settings" button
3. Clear checkbox, and click "OK" (view screenshot).
my autorun kicks on all byitself even with no media in the drives.if i am playing a game or something online it minimizes and autorun will run 5 or 6 time then i open the game and it will happen again in another minute or to when i reformat it goes away but always comes back what should i do.
Posted by: walker 27 at October 10, 2009 6:42 AM