January 17th, 2009

Using PowerShell to Protect Against Conficker (Enabling and Disabling AutoRun.inf)

PowerShell Team
PowerShell Team

On the front page of MSN.com today, there’s details about a new worm, Conficker, that spreads using the good old fashioned autorun.inf tricks.  It infects USB drives so that, when you plug the drive into another computer, it automatically runs and infects the machine.  The article mentioned a post on Nick Brown’s blog that instructs you on various ways to disable autorun.inf files and gives a .REG file for disabling autorun.inf.

Here’s the .REG file:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Recently, I’ve started to like taking small registry hacks and turning them into functions, so here’s a pair of functions that I wrote to automate this registry setting with PowerShell.

function Disable-AutoRun
{
    $item = Get-Item `
        "REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\AutoRun.inf" `
        -ErrorAction SilentlyContinue
    if (-not $item) {
        $item = New-Item "REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\AutoRun.inf"
    }
    Set-ItemProperty $item.PSPath "(default)" "@SYS:DoesNotExist"
}

Here’s Nick’s explanation of how it works:

This hack tells Windows to treat AUTORUN.INF as if it were a configuration file from a pre-Windows 95 application. IniFileMapping is a key which tells Windows how to handle the .INI files which those applications typically used to store their configuration data (before the registry existed). In this case it says "whenever you have to handle a file called AUTORUN.INF, don’t use the values from the file. You’ll find alternative values at HKEY_LOCAL_MACHINE\SOFTWARE\DoesNotExist." And since that key, er, does not exist, it’s as if AUTORUN.INF is completely empty, and so nothing autoruns, and nothing is added to the Explorer double-click action. Result: worms cannot get in – unless you start double-clicking executables to see what they do, in which case, you deserve to have your PC infected.

In case you want to enable autorun again, you can use this function:

function Enable-AutoRun
{
    Remove-Item "REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\AutoRun.inf" -Force
}

Hope this Helps,

James Brundage [MSFT]

Category
PowerShell

Author

PowerShell Team
PowerShell Team

PowerShell is a task-based command-line shell and scripting language built on .NET. PowerShell helps system administrators and power-users rapidly automate tasks that manage operating systems (Linux, macOS, and Windows) and processes.

0 comments

Discussion are closed.