feedburner
Enter your email address:

Delivered by FeedBurner

feedburner count

Earn Money!

What is Autorun.inf?

Posted by Peter Phen Labels: ,

Autorun.inf is a small configuration text file that runs when you insert flashdrive or CD/DVDROM into computer. Initially, it is used to automate CD software installation or presentation. The automation was good but hackers saw the potential to run malicious program into victim's computer. Autorun file is always stored in the root of media. If you browse the media, you will see the file autorun.inf. However, hacker will hide this program. If you want to check whether autorun.inf file is inside your flashdrive, you can do a few things:

  1. First, open Windows Explorer. Check the drive of your media (Flashdrive, CDROM).
  2. Click Start button -> run -> type "cmd" (without qoute) and press Enter.
  3. You will see Command line console. Now type "X:" (without qoute) and press Enter (assume X is your drive)
  4. Type "dir" (without quote) press Enter. Now, it lists all files on the drive. Do you see "autorun.inf"?
  5. If you can't see, it might be hidden. Now to see if it's there, type "dir /ah" (without quote) press Enter.

  6. This time it will show you the hidden files. "/ah" is attribute hidden. 
  7. If autorun.inf is exist, you can unhide it by typing this command "attrib -h -r -s autorun.inf" (without quote) press Enter. This command tells you to -h (minus/remove hide), -r (remove readonly), and -s (remove system). 
  8. The file shows up.

Why I use "-s" and "-r" in my attrib parameter? You can't delete system file. Hacker will set autorun.inf attribute to system. That's the reason we remove the system attribute. 

or 

Open Windows Explorer, Tools menu,  Folder Options. From there choose View and choose Show hidden files and folders.

You will unhide the autorun.inf. 

This technique will inform you the existence of the virus/malware by reading command in autorun.inf. 

Warning: Do not double click inf file. It will run or install program behind our back. Open notepad (click start -> run -> type "notepad", then open autorun.inf from there) or if your command line console is running, type "notepad autorun.inf" press Enter.

This is the basic content of autorun.inf

[autorun]
open=setup.exe
icon=icon.ico

When user inserts the media into computer, it will open/run setup.exe. Icon.ico is the icon of your media.

Now, hacker will write autorun.inf like this:
(hacker named YaHaa)

[autorun]
shellexecute=wscript.exe autoupdate.dll.vbs

This command will execute VBScript that contain malicious script.

This is part of the script (autoupdate.dll.vbs)

'VB Worm v1 By YaHaa
on error resume next
dim mysource,winpath,flashdrive,fs,mf,atr,tf,rg,nt,check,sd
atr = "[autorun]"&vbcrlf&"shellexecute=wscript.exe autoupdate.dll.vbs"
set fs = createobject("Scripting.FileSystemObject")
set mf = fs.getfile(Wscript.ScriptFullname)
dim text,size
size = mf.size
check = mf.drive.drivetype
set text=mf.openastextstream(1,-2)
do while not text.atendofstream
mysource=mysource&text.readline
mysource=mysource & vbcrlf
loop
do
Set winpath = fs.getspecialfolder(0)
set tf = fs.getfile(winpath & "\autoupdate.dll.vbs")
tf.attributes = 32
.....

How to get rid of the malware. If it already in the system you can install a good antivirus like Avira. You can download it from www.free-av.com. Another good anti spyware that you can install is the Ad-Aware. You can download from www.lavasoft.com/products/ad_aware_free.php 

One program dedicated to guard your flashdrive is called FlashGuard. It is developed by Davis Software and you can download it here http://www.davisr.com/cgi-bin/content/downloads.htm. This nifty software saves my laptop from malicious program that use autorun.inf. It removes the autorun.inf before it acts.








0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)