How to check and kill Autorun.inf virus, experience in attacking and defending Autorun.inf class viruses.

69 2021-07-28 18:00

  The mysterious ghosts in the root directory of the disk, the killers of system security, are called "USB disk viruses". Countless Windows users are worried about them. This article is a summary of their research and lessons learned from the fight against USB flash drive viruses.

  "RavMonE.exe", "rose.exe", "sxs.exe", "copy.exe", "setup.exe" ... The mysterious ghosts in the root directory, system security killers, they are called "USB disk virus". Countless Windows users, are anxious about them. This article is a summary of your research and lessons learned from fighting with USB flash drive viruses.   The Home of USB Flash Drives

  Windows 95 onwards has an "autorun" feature. This is a feature that can be used to read the Autorun.inf file on a disk volume when it is inserted to obtain a custom icon for the volume in Explorer and to modify the context menu for the volume icon, and to automatically run the executable file defined in Autorun.inf for certain media. Some domestic hackers have created viruses that steal the contents of USB flash drives and copy themselves to them using Autorun.inf to spread. The famous pseudo-ravmon, copy+host, sxs, Viking, Panda burner and other famous viruses have this way of spreading. They are sometimes mysterious ghosts in the root directory, sometimes they appear in the recycle bin where they shouldn't be, in short, they are a serious threat to system security.  Home of USB flash drives

  Autorun.inf is used by viruses in 4 general ways



  Automatically run. But for many XPSP2 users and Vista users, Autorun has become AutoPlay, will not automatically run it, will pop-up windows that say what you want.




  Modify the context menu. Change the default item to the virus startup item. But at this point, as long as the user right-clicks on the icon, immediately found broken. A savvier virus will change the name of the default item, but if you find the right-click menu under a non-Chinese system with extra gibberish or Chinese, what would you think?



  ShellExecute=.... As long as the call ShellExecuteA/W function tries to open the root directory of the U disk, the virus will automatically run. This kind is to deal with those who use Win+R to lose the disk letter to open the disk.    Home of USB flash drive





  shellexplore=Resource Manager(&X)

  This is more confusing and is a newly emerged form. The right-click menu can not be seen at a glance, but under the non-Chinese system, the original form is revealed. The sudden appearance of gibberish and Chinese is certainly difficult to escape.

  Faced with this danger, especially the fourth one, it is already difficult to tell whether the removable disk has been poisoned just by relying on Explorer itself. In this case, some people have also made "immunization" tools based on their own experience.

  Immunization methods (for removable disks and hard disks)

  1, the same name directory

  A directory is a special kind of file under Windows, and two files in the same directory cannot have the same name. So, creating a new directory "autorun.inf" in the root directory of removable disks will prevent the creation of autorun.inf by viruses that did not consider the existence of this situation earlier, reducing the probability of successful propagation.    

  2, autorun.inf under the illegal file name directory

  Some viruses add fault-tolerant processing code that tries to delete the autorun.inf directory before generating autorun.inf.

  Under the Windows NT Win32 subsystem, directory names such as "filename." are allowed, but in order to maintain compatibility with the DOS/Win9x 8.3 file system (. ), direct calls to the directory query function in the standard Win32 API will not be able to query the contents of such directories and will return an error. However, to delete a directory, you must delete the entire tree structure under it step by step, so you must query the contents of each subdirectory under it. Therefore, creating a special directory of this type in the "autorun.inf" directory, with a method such as "MD x:autorun.infyksoft..." to prevent the autorun.inf directory from being easily deleted. Similarly, the use of Native API to create a directory using DOS reserved names (such as con, lpt1, prn, etc.) can also achieve similar purposes.


  3, NTFS permission control

  Virus creators are also hackers and know these few features of Windows that can be considered bugs. They can make a program that scans a directory and finds that the last byte of a directory name is '.' then by accessing "dirfullname..." , or by using the file system functions in Windows NT's Native API to directly intervene and delete that particular directory.

  Thus, a lower-level file system permission control-based approach emerges. Formatting a USB drive or removable hard disk as NTFS file system, creating Autorun.inf directory and setting it to have no permissions for any user, the virus will not only be unable to delete it, but even to list its contents.

  However, this approach is not suitable for devices like music players that usually do not support NTFS.

  These three steps can be considered more exciting than the next. However, the biggest problem is not how to prevent the generation of this autorun.inf, but the vulnerability of the system itself, Explorer. The virus authors will soon make a more powerful solution. This is my prediction.    The home of U disk

  1, combined with ANI vulnerability, in autorun.inf set the icon to an ANI vulnerability Exploit file (after my experiments, I found that Windows has a feature that even if the ani extension is changed to ico, you can still parse the icon), so that as soon as you open "My Computer ", unpatched, no antivirus system will be directly affected. Such a thing can also be put online in various resources ISO.

  2, to improve the overall programming level of the virus, a combination of the above various anti-immunization methods, in addition to the use of most domestic windows users are often logged into the system with high privileges, automatically no privileges Autorun.inf directory to gain ownership, plus read-write delete permissions to break through this most solid fortress.

  Faced with such a horrible thing, there are not many ways to deal with it anymore. But they are actually the basic solution to all windows security problems.

  1. Be sure to keep your system and security software up to date. Even for pirate users, Microsoft does not fail to give important levels of security updates, and has never had a record of adding anti-piracy programs to important levels of security updates.    

  The reason why Vista includes the UAC feature is that it enables users to enjoy the security of a restricted user while being as convenient as possible.

  The company's main goal is to provide a solution to the problem of the problem. Through the IE vulnerability, make web page Trojan horse, install the number theft program, steal the account, get RMB. This black industry chain, IE is actually the easiest to cut off a link. Cherish the system, the system must be updated, to have antivirus software that can prevent web page Trojan horse, with IE Do not mess on a variety of small download sites, pornographic sites and other high-risk sites, if possible, use non-IE engine browser.

  4, malicious bundled software, now increasingly close to the virus Trojan horse. Part of the malware FSD HOOK self defense program may be used by viruses to protect themselves (such as SONY XCP incident), and some malware itself is a virus Trojan downloader. Therefore, don't let the rogue get close to your machine.    The Home of USB Flash Drives

  Autorun.inf's offensive and defensive battles continue and will only become more and more exciting. Internet users' security awareness will gain a breakthrough in the dichotomy and unity of offense and defense.

  How to check and kill Autorun.inf virus, experience in attacking and defending Autorun.inf class viruses.